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Preface 


It is widely agreed that Carl Friedrich Gauss’s 1801 book Disquisi- 
tiones Arithmeticae |G] was the beginning of modern number theory, 
the first work on the subject that was systematic and comprehen- 
sive rather than a collection of special problems and techniques. The 
name “number theory” by which the subject is known today was in 
use at the time—Gauss himself used it (theoria numerorum) in Arti- 
cle 56 of the book—but he chose to call it “arithmetic” in his title. 
He explained in the first paragraph of his Preface that he did not 
mean arithmetic in the sense of everyday computations with whole 
numbers but a “higher arithmetic” that comprised “general studies 
of specific relations among whole numbers.” 


I too prefer “arithmetic” to “number theory.” To me, number the- 
ory sounds passive, theoretical, and disconnected from reality. Higher 
arithmetic sounds active, challenging, and related to everyday reality 
while aspiring to transcend it. 


Although Gauss’s explanation of what he means by “higher arith- 
metic” in his Preface is unclear, a strong indication of what he had in 
mind comes at the end of his Preface when he mentions the material 
in his Section 7 on the construction of regular polygons. (In mod- 
ern terms, Section 7 is the Galois theory of the algebraic equation 
x” —1=0.) He admits that this material does not truly belong to 
arithmetic but that “its principles must be drawn from arithmetic.” 


1X 
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What he means by arithmetic, I believe, is exact computation, close 
to what Leopold Kronecker later called “general arithmetic.” + 


In 21st century terms, Gauss’s subject is “algorithmic mathe- 
matics,” mathematics in which the emphasis is on algorithms and 
computations. Instead of set-theoretic abstractions and unrealizable 
constructions, such mathematics deals with specific operations that 
arrive at concrete answers. Regardless of what Gauss might have 
meant by his title Disquisitiones Arithmeticae, what I mean by my 
title Higher Arithmetic is an algorithmic approach to the number- 
theoretic topics in the book, most of which are drawn from Gauss’s 
great work. 


Mathematics is about reasoning, both inductive and deductive. 
Computations are simply very articulate deductive arguments. The 
best theoretical mathematics is an inductive process by which such 
arguments are found, organized, motivated, and explained. That is 
why I think ample computational experience is indispensable to math- 
ematical education. 


In teaching the number theory course at New York University 
several times in recent years, I have found that students enjoy and 
feel they profit from doing computational assignments. My own ex- 
perience in reading Gauss has usually been that I don’t understand 
what he is doing until he gives an example, so I try to skip to the 
example right away. Moreover, on another level, in writing this and 
previous books, I have often found that creating exercises leads to a 
clearer understanding of the material and a much improved version 
of the text that the exercises had been meant to illustrate. (Very 
often, the greatest enlightenment came when writing answers to the 
exercises. For this reason, among others, answers are given for most 
of the exercises, beginning on page 179.) 


Fortunately, number theory is an ideal subject from the point of 
view of providing illustrative examples of all orders of difficulty. In 
this age of computers, students can tackle problems with real com- 
putational substance without having to do a lot of tedious work. | 


1See Essay 1.1 of my book [E83]. For the relation of general arithmetic to 
Galois theory, see Essay 2.1. 
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have tried to provide at the end of each chapter enough examples 
and experiments for students to try, but I’m sure that enterprising 
students and teachers will be able to invent many more. 


What began as an experiment in the NYU course turned into 
a substantial revision of the course. The experiment was to see how 
much of number theory could be formulated in terms of “numbers” in 
the most primitive sense—the numbers 0, 1, 2, ... used in counting. 
To my surprise, I found that not only could I avoid negative num- 
bers but that I didn’t miss them. The simple reason for this is that 
the basic questions of number theory can be stated in terms of con- 
gruences, and subtraction is always possible in congruences without 
any need for negative numbers. Negative numbers have always led to 
metaphysical conundrums—why should a negative times a negative 
be a positive?—which cause confusing distractions right at the outset 
when the meaning of “number” is being made precise. In this book, 
the meaning of “number” derives simply from the activity of counting 
and arithmetic can begin immediately. Kronecker’s famous dictum, 
“God created the whole numbers; all the rest is human work,” can be 
amended to say, “nonnegative whole numbers,” which is very likely 
what Kronecker meant anyway. 


A central theme of the book is the problem I denote by the equa- 
tion A+ B =U, the problem of finding, for two given numbers A 
and B, all numbers z for which Az? + B is a square. As Chapter 
2 explains, versions of this problem are at least as old as Pythago- 
ras, although two millennia later the Disquisitiones Arithmeticae still 
dealt with it. A simple algorithm for the complete solution is given 
in Chapter 19. 


Work on problems of the form AU + B = OU led Leonhard Euler 
to the discovery of what I call “Euler’s law,” the statement that the 
answer to the question “Is A a square mod p?” for a prime number 
p depends only on the value of pmod 4A. This statement, of which 
the law of quadratic reciprocity is a byproduct, is completely proved 
in Chapter 29. 


When Ernst Eduard Kummer first introduced his theory of “ideal 
complex numbers” in 1846, 45 years after the publication of Disqui- 
sitiones Arithmeticae, Gauss said that he had worked out something 
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resembling Kummer’s theory for his “private use” when he was writ- 
ing about the composition of binary quadratic forms in Section 5 of 
Disquisitiones Arithmeticae, but that he left it out of the book be- 
cause he had not been able to put it on firm ground.? Although the 
proof of quadratic reciprocity given in this book was originally in- 
spired by Gauss’s proof using the composition of forms, it is stated 
in terms closer to Kummer’s ideal numbers. Specifically: 


If, in addition to using ordinary numbers 0, 1, 2, ... , one com- 
putes with a symbol VA whose square is a fixed number A, one has 
an arithmetic—I have dubbed it the arithmetic of “hypernumbers” 
for that A—in which the natural generalization of doing computa- 
tions mod n for some number n is to do computations mod [a, b| for 
some pair of hypernumbers a and b. (With ordinary numbers, the 
Euclidean algorithm serves to reduce the number of numbers in a set 
that describes a modulus to just one, but with hypernumbers two may 
be needed, as is shown in Chapter 18.) With natural definitions of 
multiplication and equivalence of such “modules of hypernumbers,” 
the computations needed to solve A+B = U and to prove quadratic 
reciprocity can be explained very simply. In this way, Gauss’s diff- 
cult composition of forms is avoided but the essence of his method is 
preserved. 


The last two chapters relate the methods of the book to Gauss’s 
binary quadratic forms so students interested in reading further in 
the Disquisitiones Arithmeticae—or students interested in binary qua- 
dratic forms—will be able to make the transition. 


Finally, an appendix gives a table of the cycles of stable modules 
of hypernumbers for all numbers A < 111 that are not squares, which 
will be useful for students, as they were for me, in understanding the 
general theory and in working out examples. 


*See [E4]. 


http://dx.doi.org/10.1090/stml/045/01 


Chapter 1 


Numbers 


This book deals with numbers of the simplest kind, the ones we learn 
as children when we learn to count, the numbers 0, 1, 2,... . (Zero is 
included because the outcome of a count can be “none.” ) They are of- 
ten called “natural numbers” or “counting numbers” or “nonnegative 
integers.” Here they—and only they—will be called numbers. 


Numbers are ordered in the sense that two given numbers a and 
b satisfy either a < bora = bor a> b, meaning that if two counts 
are done simultaneously, one to a and one to 5), either the count to 
a will finish first, or they will finish at the same time, or the count 
to 6 will finish first. Normally numbers are visualized as a sequence 
written from left to right, starting with 0 and listing the numbers 
in order, continuing (in the imagination) forever. In terms of this 
image, the order relation becomes the relation of a lying to the left 
of, or coinciding with, or lying to the right of, b. 

Addition of numbers is very close conceptually to the basic mean- 
ing of numbers as the outcomes of counts. If a set containing a ob- 
jects is united with a set containing b objects, the new set will contain 
a+ 6 objects. The basic properties of addition are commutativity— 
the statement that a + b = b+ a—and associativity—the statement 
that (a+ 6) +c =a+(b+4+c). Both of them follow from the very 
meaning of the operation of counting. 


a 


2 Higher Arithmetic 


The notions of counting and recording numbers go back to the 
earliest periods of human prehistory, but our decimal system of writ- 
ing numbers and computing with them on paper is of comparatively 
recent origin—in Europe, at any rate, it was still a novelty five hun- 
dred years ago—and effective machine computations began to be done 
only in the 20th century. 


The decimal system writes numbers using just the ten symbols 0, 
1, 2, 3, 4, 5, 6, 7, 8, 9 for the first ten numbers and describes larger 
numbers using a place system to represent powers of ten, so that 12340 
means 1-104 +2-10°+3-107+4-10. Elementary and familiar as 
this system is, its power and simplicity are definitely worthy of some 
attention at the outset of a course in number theory. For example, 
this system makes it possible for schoolchildren to learn to perform 
an addition like 12340 + 567890 = 580230 with little difficulty, a task 
that five hundred years ago required a skilled professional. 


Multiplication of numbers is a much more sophisticated operation 
than addition, and it is harder to teach to schoolchildren. If a and } 
are numbers, their product is the number ab of objects in a rectangular 
array of objects that contains a rows and b columns. Since counting 
ab objects is the same as adding b to itself a times, the problem of 
computing the product of a and b—the problem of computing ab—can 
be reduced to addition by the algorithm: 


Input: Two numbers a and b. 


Algorithm: 
Let p= 0 andt =a. 
While t > 0 
Reduce t by 1 and add b to p 
End 
Output: p 


The “while” loop is executed a times in the course of reducing t 
from a to 0 (if a = 0, the loop is never executed and p remains at 
zero) and each execution of the loop adds 6 to p, so that the final 
value of p is the product—the number b added to itself a times. 


This algorithm is unusable for hand computation if a is at all 
large. Amazingly, modern computers are so lightning fast that they 
can multiply numbers with 4 or 5 digits rather quickly in this primitive 
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way, but such a computation is a pointless waste of their power. A 
more efficient but still elementary multiplication algorithm is: 


Input: Two numbers a and b. 
Algorithm: 
Let p = 0 and t= a. 
While t > 0 
Let k = 1. 
While ¢ > 10k 
Multiply k by 10 
End 
Reduce t by k and add kb to p. 
End 
Output: p 


This algorithm is geared to the decimal system in which multiplication 
by powers of 10 is easy—just shift the digits the required number of 
places to the left. Instead of adding b repeatedly to p, this algorithm 
finds the largest power of 10 that is less than or equal to a, call it 
10° = k (which one can do by inspection in the decimal system), adds 
10° times b to p all at once (to find 10°b does not, of course, require 
multiplication, just writing e zeros after b), and reduces by 10° the 
number of times b still needs to be added to p. 


This more efficient algorithm is similar to the algorithm that is 
taught in school, except that it begins with the leftmost digit of a 
rather than the rightmost, and it does not assume that multiplication 
by a single-digit number is easy; for example, if a = 32, it generates 
the product as p = (10 x b) + (10 x 6) + (10 x b) +b +6 instead of as 
p = (2 x b) + (30 x b) the way the usual algorithm does. 


Computers represent numbers in the binary system, not the dec- 
imal system, so multiplication by 2, rather than multiplication by 10, 
is the easy operation for them to do, because in binary arithmetic 
multiplication by 2 is accomplished by putting a zero to the right of 
the number. In adapting the above multiplication algorithm for use 
on a computer, therefore, it is natural to change 10 to 2 in the two 
places where it occurs. Of course an algorithm for multiplication is 
hard-wired into the circuitry of the computer where the user never 
needs to be concerned with it, but students of number theory should 
give thought to what the circuitry is accomplishing. 
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The other basic laws of arithmetic 
ab=ba, (ab)c=a(bc), a(b+c)=ab+ac 


all follow from the meaning of addition and multiplication in terms 
of counting and will be taken for granted. 


) 


With this narrow meaning of “number,” subtraction and division 


are not always possible. 


The symbol 6 — a represents “the number which, when added 
to a, gives b,” and there is obviously no such number when 6 < a. 
Therefore, this symbol can only be used legitimately (in view of the 
meaning of “number” here) after b > a has been proved. For example, 
the last algorithm above could have said that t is to be replaced by 
t — k because it has determined k in such a way that t > k. 


Division requires a similar restriction. The symbol b/a represents 
“the number which, when multiplied by a, gives 6.” For randomly 
chosen a and 6b there is very rarely any such number. Again, the 
notation b/a will be used, but only when b has been shown to be a 
multiple of a. 


However, division with remainder works in all cases in which a 
is not 0: Given two numbers a and b with a ~ 0, there are numbers 
q and r for which b = ga+r andr < b. Moreover, g and r are 
determined by a and b by means of the simple algorithm: 


Input: Two numbers a and b with a #0 


Algorithm: 
Let q=0Oandr= 6b 
While r >a 
Reduce r by a and add 1 to q 
End 


Output: The quotient g and the remainder r of the division. 


or, more efficiently, 


Input: Two numbers a and 6b with a # 0 
Algorithm: 
Let q=Oandr=b 
While r >a 
Set k = 1 
While r > 2ka 
Multiply k by 2 
End 
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Reduce r by ka and add k to q 
Emd 
Output: The quotient g and the remainder r of the division. 


(In decimal arithmetic, 10 would replace 2 in the two places it occurs.) 


These two algorithms begin with the solution (q,r) = (0,6) of 
b = qa+r; they modify (q,r) at each step in such a way that b = qa+r 
remains true and r is reduced, and they terminate when r < a. (If 
a = 0, either algorithm endlessly subtracts 0 from b.) In the first 
algorithm, a is repeatedly subtracted from r and 1 is added to q 
until r is less than a, but in the second these operations are done in 
batches—-subtracting 2°a from r and adding 2° to g, where e is as 
large as possible. 


Once again, the core idea is that of counting. Arithmetic—the 
operations of addition, subtraction, multiplication, and division with 
remainder—are mere elaborations. 


Exercises for Chapter 1 


Study Questions. 
1. Think through how you would explain the meaning and truth 


of the commutative law ab = ba of multiplication to an intelligent 
eight-year-old. 

2. Do the same for the associative law of multiplication (ab)c = 
a(bc) and the distributive law a(b+ c) = ab+ ac. 


3. Many of the computations in later chapters will deal with very 
large numbers—fifteen or more digits at times. Somewhat surpris- 
ingly, it can be tricky to do such computations on easily available com- 
puters using easily available software because most computations are 
done using floating point arithmetic, which limits the accuracy with 
which large numbers can be represented. A program called UBASIC 
is available for Windows computers with which the algorithms in the 
chapter can be programmed easily. Try to download UBASIC to your 
own computer if you have Windows, or, if not, try to develop some 
means of implementing these algorithms on your computer. UBASIC 
is in fact far more than is needed. All that is needed is a convenient 
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method of carrying out algorithms for high-level counting like the 
ones in the chapter. 


Computations. 


4. On a programmable calculator—or on a computer—implement 
the two multiplication algorithms given in the text. (See Exercise 3. 
For this exercise, you needn’t get into really large numbers, so round- 
off error should pose no problem and you can use ordinary compu- 
tations.) On a computer, though perhaps not on a calculator, you 
might be surprised to find how quickly the first algorithm finds prod- 
ucts of numbers with 3, 4, or 5 digits. For larger numbers, the naive 
first algorithm will become unworkable, but the speeded up second 
algorithm should do fine. 


5. Since the calculator or computer is doing the calculations, 
there is no point in using decimal instead binary numbers. Try both 
10 and 2 in the algorithms and see whether you find any significant 
difference in their execution times. 


6. On paper, multiply 33 and 21 in the usual way. Convert both 
numbers to binary and multiply them in binary. Convert the binary 
result to decimal to verify that the answers coincide. 


7. Compute 7 x 9876543210987654321 x 1234567890987654321. 


8. Write an implementation of the algorithm for division with 
remainder and use it to find the quotient and the remainder when 
9876543210987654321 is divided by 5432109876. (In this case, the 
quotient is so large that even a very fast computer cannot find it in a 
reasonable time by successively adding 1. The more efficient method 
that adds powers of 2 to q must be used.) 


http://dx.doi.org/10.1090/stml/045/02 
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The Problem 
AJ+B=U 


The Pythagoreans—the followers of the semi-mythic Greek thinker 
and teacher Pythagoras who lived in the 6th century BCE—are be- 
lieved to have studied the following sequence of ratios: ;, 3. , x, 
sa 23 #33 oc, .... The sequence is defined by two properties. 
First, the denominator of each ratio is the sum of the numerator and 
denominator of the preceding ratio and, second, the numerator of 
each ratio is the sum of its denominator and the denominator of the 


preceding ratio. 


What was it about this sequence that interested the Pythagore- 
ans? It is the best possible description of the square root of 2 in the fol- 
lowing sense. In each ratio, the square of the numerator is very nearly 
equal to twice the square of the denominator, so that the square of 
the ratio (which is not a number) is very nearly equal to the ratio of 2 
to 1. Specifically, 2-12—1 = 17, 2-274+1=9 = 37, 2.57-1=49 = 7”, 
2-122+1 = 289 = 177, 2-292—1 = 1641 = 412, 2-70?+1 = 9801 = 997, 
2.169% — 1 = 57121 = 2397, 2 - 408% + 1 = 332929 = 5777, .... The 
pattern is probably clear—double the first square is alternately one 
more than or one less than the second square. These observations 
raise many questions. Will the pattern persist? Are there solutions 
of y? = 22% +1 that it misses? Where does it come from? Why does 
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it work? And—the question a mathematician is most likely to ask—is 
there a similar way to solve y? = Ax? + 1 for other numbers A? 


Some centuries later, about 250 BCE, the great Greek mathe- 
matician Archimedes studied the ratio of the circumference of a circle 
to its diameter, the ratio we call 7. He proved that 7m is less than 
34 but greater than 3a. This great achievement is related to in- 
finitesimal calculus, not number theory. However, in the course of 
estimating 7, Archimedes needed to estimate \/3, and he asserted,! 
without explanation, that oe < V3 and ot > V3. With your 
calculator you can easily check that 3 - 153? — 2 = 70225 = 2657 
and 3 - 780? + 1 = 1825201 = 1351, which proves the inequalities 
Archimedes states and justifies his use of them, but leaves one won- 
dering where he got them and whether there are others like them. 
In particular, it is natural to wonder about his use of a solution of 
3x7 — 2 = y? for his lower estimate; a solution of 327 — 1 = y? would 
seem preferable. 


There is a reference in Plato’s dialogue Theaetetus (written a 
century before Archimedes’ estimate of 7) to a mathematician who 
studied the square roots of numbers up to 17, which suggests that the 
Greek mathematicians—although we usually think of them as being 
geometers—were interested in at least one problem in number theory, 
namely, the solutions of Ar? + B = y*, where A = 2, 3,..., 17 and 
where B is a small number. 


We will use the shorthand AL] + B = U for this problem—given 
two numbers? A and B, find squares x” and y? for which Ar7+B = y’”. 
The problem AL] — B = U is included in AU+ B = CJ when one uses 
the following trick. If Ar? — B = y*, then A?x* — AB = Ay’, which 
is to say Ay? + AB = (Az)?. Thus, the solutions of Ar? — B = y? 
coincide with the solutions of Au? + AB = v? in which v is divisible 
by A. (Set y =u and x = v/A.) 


1By the way, Archimedes and the other Greek mathematicians did not even 
have the convenience of modern decimal notation—much less calculators—and 
the means by which they did their calculations is not exactly known. Most likely, 
it involved the use of a counting board or some other abacus-like device. 

“If A is a square, this problem is easy—see the exercises. Therefore, only the 
case A ~ L] will be considered. 
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A primary objective in the chapters ahead is the complete solu- 
tion of AD + B= OU: For given A and B, describe an algorithm that 
produces all squares that solve the problem. (It will be shown, in 
particular, that the Pythagorean sequence is an algorithm that pro- 
duces all solutions of 20 +1 =U.) This can be regarded as a vast 
generalization of the question, “How could Archimedes have found his 
approximations to \/3?” Although the historical motive for studying 
this problem might seem weak to students with no particular interest 
in the history of mathematics, the fact is that the path to its solution 
winds through all of the basic topics of elementary number theory 
and ends with a complete solution of the problem. It is not so much 
the problem itself as the methods used in its solution that make it 
worth studying. 


Exercises for Chapter 2 


Study Questions. 


1. There is a very good reason Archimedes did not give a solution 
of 32 —1 = y?. See if you can find it. [Hint: It has to do with 
multiples of 3.] 


2. See if you can construct a method of generating a sequence 
of ratios that alternates between solutions of 3x7 + 1 = y? and of 
327 — 2 = y* analogous to the Pythagorean sequence. [Hint: Don’t 
try to use the same formula for all steps.| 


3. Proposition 10 of Book 2 of Euclid’s Elements states, in words 
rather than algebraic symbols, that (2x + y)? + y? = 2274 2(4+ y)?. 
Prove this as an algebraic identity. See if you can use it to derive the 
Pythagorean sequence of ratios. 


4. Try to find close approximations 52? ~ y? and see if you can 
devise any methods for generating them. 


5. For what numbers A can you find solutions of Ar? + 1 = y?? 
For Ax? —1 = y?? [There is no easy answer. Trial-and-error produces 
meager results as A varies.| 


6. Try to devise plausible ways that Archimedes might have ar- 
rived at his approximations to V3. [Nobody knows how he did.] 
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7. Give an algorithm for the complete solution AD + B = U in 
the case in which A is a square. [This is a special case of the problem 
(J+ B =U), which can be solved by observing that a difference of two 
squares has a factorization pg in which p= x+y andq=2-y,| 


8. In the computation suggested in question 9 below, it is neces- 
sary to be able to determine whether a given large number is a square. 
Here is an algorithm that accomplishes this. 


Input: A number N 


Algorithm: 
Letk=1,t=WN 
While t>k 
Reduce t by k and increase k by 2 
End 


Output: If t = 0 print “N is a square”, else print “N is not a square” 


Figure out why it works. 


Computations. 


9. Devise a computer program that scans for solutions of AD + 
B= U0. For example, for a given A and for x = 1, 2, 3, ... find 
the square that is nearest to Ax? and keep a record of those that 
are less than 10 away from a square. This computation is a natural 
accompaniment to question 5 above. 


10. How far do you have to carry the scan for solutions of 130) + 
1 =U before you find one? How about 610 +1 = HU? [The second is 
a trick question, but not in the way you might imagine.| 

11. Carry the Pythagorean sequence far enough to find a 10-digit 
number zx for which 2x7 + 1 is a square. What is that square? 


http://dx.doi.org/10.1090/stml/045/03 
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Congruences 


The history of mathematics shows over and over how important nota- 
tzon is. AS was mentioned in Chapter 1, the modern decimal system 
of writing numbers was a great step forward in arithmetic. Around 
the same time that decimal numbers began to be used, the idea of a 
symbolic algebra using letters was also developed,' a notational in- 
novation that was crucial to the development of all of modern mathe- 
matics. Another example of the importance of notation is the Leibniz 
notation for calculus, which gave great advantages to those who used 
it over those who used Newton’s notation, even though Newton was 
a more profound mathematician than Leibniz. 


In number theory, a notational advance of comparable importance 
is the following simple notation introduced by Carl Friedrich Gauss in 
Disquisitiones Arithmeticae in 1801. Along with many great advances 
in mathematical knowledge, the book put forth a new notation for 
expressing the relation “m and n leave the same remainder when they 
are divided by a,” namely, the notation? 


m=nmod a. 


1These two changes may have been related, because when letters were no 
longer used to denote numbers, they could be used to denote algebraic quantities. 

2This is not precisely Gauss’s notation, but it is the modern version of it. 
He wrote m = n (mod.a) and omitted the parenthetical reference (mod.a) to the 
modulus when the modulus could be inferred from the context. 
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In words, this is read, “m is congruent to n modulo a.” The sign = 
with three lines is called the “congruence sign”; as will be seen, its 
role is very similar to that of the equal sign = with two lines. The 
word “modulo” or “modulus” is a Latin word related to “measure,” ? 
and the congruence m = n mod a means something like “when you 
ignore multiples of a, the numbers m and n are the same.” The phrase 


“modulo a” is usually contracted to “mod a.” 


(Note that the definition of m = n mod a is meaningless in the 
case a = 0. In view of the lemma below, it is natural to define 
congruence mod 0 as equality. That is, m = n mod 0 means m = n, 
which means, of course, that congruences mod 0 can be ignored.) 


The symbol = by itself has no meaning, because the modulus a 
must be specified. Similarly, the notation m mod a has no meaning, 
because the modulus a pertains to a relation of congruence. A sign 
= calls for a modulus and conversely. 


Congruence mod a is an equivalence relation in the sense that 
it is reflexive (every m satisfies m = m mod a), symmetric (if m = 
nmoda, then n = mmoda) and transitive (if | = m moda and 
m = nmoda, then ! = n mod a), as follows immediately from the 
definition. 


What makes the congruence notation so powerful is that congru- 
ences can be added and multiplied in the same way equations can be 
added and multiplied, which means that familiar computational tech- 
niques can be used to do computations with new number-theoretic 
meanings. For example, congruence notation shows easily that Archi- 
medes was right to be satisfied with a solution of 3L]—2 = LJ, because 
3L] — 1 = LU ts impossible, as one can see in the following way. Di- 
vision of y by 3 leaves a remainder of 0, 1, or 2, so y = 0, 1, or 
2 mod 3, which implies, by the theorem below, that y? = 07, 17, or 
2? = 1 mod 3. Then, again by the theorem below, y*+1 = 0+1 mod 3 
or y2 = 1+1mod3. Thus, y2+1 = 1 or y27 +1 = 2mod3, 


3In the standard translation of Euclid’s Elements, the statement that a num- 
ber “measures” another is synonymous with the statement that the second number 
is a multiple of the first. 
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which means that even the congruence y* + 1 = 3x7 mod 3 is impos- 
sible (by the theorem, 327 = 0 mod 3), not to mention the equation 
y? +1 = 327. 


Theorem. Ifa, k, 1, m, and n are numbers for which k = 1 moda 
andm =nmoda, thenk+m=I1+nmoda and km = In mod a. 


In short (and loosely stated) when congruent numbers are added 
or multiplied, the results are congruent, just as equals added to equals 
or multiplied by equals are equal. The more correct way to state 
this is to say that congruence mod a is consistent with addition and 
multiplication of numbers. 


This theorem is an easy consequence of: 


Lemma. To say m = nmoda is the same as to say that there are 
numbers s and t for which m+ sa=n-+ ta. 


Proof of the lemma. Let a, m, and n be given. Say division of 
m and n by a gives Mm = qmna+Trm and n = qna+Tn, respectively. 
By definition, b = c mod a means ry, = rm, so it implies m+ qna = 
Qdm@+?m + Qn@ = Qmat+rn t+ na = n+ qma, SO S = gn and t = qm 
gives an equation of the required form. Conversely, if m+sa = n+ta, 
then rm = Tn because both are the remainder when (qm +s)a+fm = 
(dn +t)a+Trp is divided by a. L 


Proof of the theorem. The lemma implies that if a, k, 1, m, and 
nm are numbers for which k = / moda and m =n moda, then there 
are numbers s, t, u, and v for which k+ sa =1+ta and m+ ua = 
n+ va. Addition of these two equations gives k +m-+(s+u)a = 
1+n+(t+v)a which, by the lemma, implies k +m =/1+n mod a. 
Similarly, multiplication gives (k + sa)(m+ ua) = (1+ ta)(n + va) or 
km + (ku + sm + sua)a = In + (lv + tn + tva)a, so km = In mod a, 
as was to be shown. a 
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Exercises for Chapter 3 


Study Questions. 


1. What numbers less than 5 are squares mod 5? (That is, which 
of the congruences z* = 0 mod 5, 2? = 1mod5,..., 27 =4mod5 
have solutions x?) What numbers less than 14 are squares mod 14? 
Write an algorithm that determines, for a given modulus a and a 
given number N, whether N is a square mod a. 


2. Given that rc = 2mod3 and x = 1mod 5, what can you 
conclude about x? 


3. Given that c = 5mod6 and x = 3mod/7, what can you 
conclude about x? 


4. Given that 42 = 7 mod 15, what can you conclude about x? 
5. Given that 4r = 6 mod 14, what can you conclude about x? 


6. Prove that subtraction modulo a makes sense (provided a # 0) 
in that: for given numbers n, m, and a, the congruence r+ n = 
m mod a always has a solution, and any two solutions xz are congruent 
mod a. This observation means that minus signs can be used with 
abandon in congruences. In other words, in a congruence mod a, for 
any number m, the symbol —m has a meaning, namely, it means any 
number zx that solves the congruence x +m = 0 mod a. 


7. Prove that division modulo a does not make sense in an analo- 
gous way. In other words, prove it is not true that: for given numbers 
n, m, and a, the congruence nz = m mod a has a solution, and any 
two solutions x are congruent mod a. (Well, obviously the case n = 0 
must be excluded—division by 0 is meaningless—but adding the as- 
sumption n # 0 or even the assumption n ~ 0 mod a is not enough 
to make the above assertion true.) 


8. What, in simple terms, is the meaning of congruence mod 1? 


Computations. 


9. Write a program that scans for solutions x of the congruence 
mx = 1 mod a for given inputs m and a. What patterns, if any, can 
you use to distinguish between cases where solutions exist and cases 
where they do not? 
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10. Write a program that scans for solutions x of the simultaneous 

congruences 

x =mmoda 
and 

x =nmod b 
for given inputs m, n, a, and b. What patterns, if any, can you use to 
distinguish between cases where solutions exist and cases where they 
do not? 
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Chapter 4 


Double Congruences 
and the Euclidean 
Algorithm 


Writing m = n moda in the form m+ sa = n+ ta where s and t 
are numbers (see the lemma of Chapter 3), suggests a type of double 
congruence: 


Definition. Given two nonzero numbers a and b, two other numbers 
m and n will be said to be congruent mod [a,b], written m =n mod 
[a,b] if there are numbers s, t, u, and v for which m+ sa+ tb = 
n+ua-+ vb. 


Loosely speaking, the relation means that a step from m to n can 
be accomplished using a combination of steps of size a and steps of 
size b. (Starting at m, take s steps of size a and ¢ steps of size b to 
the right, followed by u steps of size a and v steps of size 6 to the left 
to end at n.) 


For example, the equation 17+100-60+3-111 = 54+ 4-60+55-111 
(both numbers are 6350) shows that 17 = 5 mod [60, 111]. 


One way of looking at a very important fact of elementary num- 
ber theory—perhaps the most important fact of elementary number 
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theory—is to say that such a notion of double congruence can in fact 
be reduced to an ordinary single congruence: 


Theorem. Let a and b be given numbers, neither of them zero.' 


There is a third number c with the property that two numbers are 
congruent mod [a,b], as defined above, if and only if they are congru- 
ent modc. In fact, c can be found by Euclid’s algorithm “subtract 
the lesser from the greater” as explained below. 


In the case a = 60 and 6 = 111 mentioned above, the rule “sub- 
tract the lesser from the greater” calls for replacing congruence mod 
[60,111] with congruence mod [60,51] (the lesser 60 is subtracted 
from the greater 111). Repetition of the algorithm continues: [{9, 51], 
[9, 42], [9, 33], [9, 24], [9, 15], [9, 6], [3,6], [3,3]. At this point, there is 
no “lesser” and it is unclear how to proceed, but in fact there is no 
need to proceed, because congruence mod [3,3] is the same as con- 
gruence mod 3—both just mean that you can go from one number to 
the other in steps of size 3. 


Proof of the theorem. Loosely speaking, the statement to be proved 
is that if a < 6 and if you can go from m to n in steps of size a and 
b, then you can go from m to n in steps of size a and b — a, and con- 
versely. This is true, because a step of size b— a can be accomplished 
by taking a step of size b in one direction and then a step of size a in 
the opposite direction, while a step of size a can be accomplished by 
a step of size a — b followed by a step of size 6 in the same direction. 


More precisely, what is to be shown is that if a < band m+sa+ 
tb = n+ua+vb for some numbers sg, t, u, v, then m+Sa+T(b—a) = 
n+Ua+V(b—a) for some numbers S, T, U, V, and conversely. That 
the first equation implies the second comes from rewriting the first 
equation in the form m+(s+t)a+t(b—a) =n+(ut+v)at+v(b—a). 
That the second implies the first follows from adding (T+V )a to both 
sides to put the second equation in the form m+ ($+ V)a+Tb = 
n+(U+T)a+Vb. 


‘Tf either a or b is zero, then the theorem is true in a trivial way because 
congruence mod (0, bj is the same as congruence mod b and congruence mod {a, 0] 
is the same as congruence mod a, as one sees directly from the definition. 


4. Double Congruences and the Euclidean Algorithm 19 


When a > 8, an analogous argument applies with the roles of a 
and 6 reversed. 


Thus, congruence mod |a, }] is the same as congruence mod [a, b— 
a| when a < b and the same as congruence mod [a — b, b] when a > b. 
Repetition of this process until? the two numbers are the same (in 
the above example they both become 3) proves the theorem, because 
it shows that congruence mod [a, }] is the same as congruence mod 
[c,c] for some c, and it is clear from the definition that congruence 
mod |c, c] is the same as congruence mod c. a 


The algorithm can be extended to lists of more than two numbers 
as well: 
Input: A list of nonzero numbers aj, a2,..., An 
Algorithm: 
While n > 1 
If ay = a2 drop a, from the list and reduce all subscripts by 1 
Elseif aj < ag subtract a, from ag 
Else subtract a2 from aj, 
End 
Output: The list containing one number with which the algorithm terminates 


Clearly this algorithm terminates after a finite number of it- 
erations. (Each iteration reduces the number of numbers in the 
list when the first alternative holds and otherwise reduces the to- 
tal of the numbers in the list, so the algorithm must terminate before 
n+a,+a2+---+a, +1 steps have been executed.) 


When neither a nor 0 is zero, the number c that describes the 
double congruence mod |a, b] is the greatest common divisor of a 
and b because it divides both a and 6 (both a and b are zero mod [a, 5], 
so both are zero mod c, which is to say that both are divisible by c) 
and is divisible by any number that divides both a and 6 (since c is zero 
mod ¢, it is zero mod [a, b], which is to say that c+sa+tb = 0+ua+vub 
for some s, t, u, and v, so if a and b are both zero mod d, so is c). 


2 As long as the numbers are not equal, a repetition of the process reduces 
the total of the two numbers. Since the reduction of the total cannot continue 
ad infinitum, the repetitions must eventually end, which means that the numbers 
will have become equal. 
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More generally, congruence mod [a;, a2, ... , Gn] is the same as 
congruence mod c where c, the output of the above algorithm, is the 
greatest common divisor of a1, @2,... , @n, because it divides all of 
the a; and is divisible by any number that divides all of the a;. A list 
a), 42, ..., Gn that includes zeros has a greatest common divisor in 
the same way——simply ignore the zeros, because the greatest common 
divisor of the nonzero entries in the list divides the zeros as well— 
unless the list contains only zeros, in which case there is no greatest 
common divisor because all numbers divide all entries. 


Two numbers a and 0 are relatively prime if all numbers are 
congruent to 0 mod [a,b]. This is clearly true if and only if at least 
one of a and 0b is nonzero and their greatest common divisor is 1. 


Exercises for Chapter 4 


Study Questions. 


1. The example [60,111] was chosen in an attempt to conceal 
the greatest common divisor 3. Try to construct other pairs of small 
numbers that appear at first glance to be relatively prime but in fact 
are not. 


2. Alter the algorithm in the text in such a way that instead of 
subtracting the lesser from the greater, it subtracts 2° (or, if you are 
planning to use the algorithm for pencil-and-paper computation, 10°) 
times the lesser from the greater, where e is the largest number for 
which this subtraction is possible. 


3. The equation 4 + 4 = 4 (these are fractions, not numbers!) 
has meaning mod a whenever a is relatively prime to 6. For example, 
one can say that ? = 2 mod 11 provided one overlooks its evident 
meaninglessness and sees instead the very clear meaning: “x = 2 
solves the congruence 62 = 1 mod 11.” (On the meaning of 1/6 see 
Chapter 1.) For the same reason, one can stretch the notation to say 
that 4 = 4 mod 11 and § = 6 mod 11 because 3-4 = 1 mod 11 and 
2-6=1 mod 11, respectively. Note that, with these interpretations, 
«+3 = 53 mod1l. Work out the analogous congruence for other 
values of the modulus that are relatively prime to 6 like a = 19 or 43 
or 143. Why does it always work out this way? 


Exercises for Chapter 4 pA 


Computations. 


4. Write computer implementations of the algorithm of the text 
and of the speeded up version in question 2 above. You should find 
that they work very well, even for large inputs a and b, except that 
the one that is not speeded up can occasionally get stuck doing a lot 
of subtractions as in the case a = 1,000,000,000, 6 = 1,000,000,001. 
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Chapter 5 


The Augmented 
Euclidean Algorithm 


Let a and b be nonzero numbers, and let d be their greatest common 
divisor. Loosely speaking, d is the size of the smallest step one can 
take by combining steps of size a and steps of size b. The augmented 
Euclidean algorithm determines how to take a step of size d using 
steps of size a and steps of size b. More precisely, it determines two 
ways of taking a step of size d using steps of size a and steps of 
size b; the steps of size a predominate in one and the steps of size b 
predominate in the other. 


In formulas, the algorithm finds solutions u, v, x, y of the pair of 
equations 


(1) d+ub=va 
d+za= yb 


where a and 6b are given nonzero numbers and d is their greatest 
common divisor. One can take a step of size d to the right either by 
taking v steps of size a to the right and u steps of size b to the left, 
or by taking y steps of size b to the right and x steps of size a to the 
left. 


The augmented Euclidean algorithm can be formulated in 
the following way: 
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Input: T'wo nonzero numbers a and b 


Algorithm: 
Lev d=<a.é=]),0=]0,0 S12 S09 =) 
While de 


Ifd >e, changedtod—e,utou+y, andvtov+2 
Else change e toe —d,xtov+a, andytout+y 
End 
Output: Equations d+ ub = va and d+ z2a = yb 


If u, v, x, and y are ignored, the algorithm is simply the Euclidean 
algorithm “subtract the lesser from the greater” and it terminates 
with both d and e equal to the greatest common divisor of a and 6 as 
in Chapter 4. The equations d+ ub = va and e+ za = yb hold at the 
outset because d+0-b=1-aande+0-a=1-6 hold at the outset. 
Each step preserves the truth of these equations, as can be seen in the 
following way. If d+ ub = va and e+ xa = yb both hold, their sum 
d+(u+y)b=e+(v+2z)a holds. If d> e, the step of the algorithm 
leaves e, x, and y unchanged, so the equation e + za = yb remains 
true, while d + ub = va becomes (d — e) + (u+ y)b = (v + xz)a which 
is true because it results when e is subtracted from both sides of the 
sum. In the same way, if d < e, the equation involving d is unchanged 
and the equation involving e is changed to the equation obtained by 
subtracting d from both sides of the sum. Thus, both equations are 
true at each step, including the last step, at which d = e, which shows 
that the output equations are true. 


The working of the algorithm can be seen clearly if the steps are 
shown in tabular form, with one column for each of d, e, u, v, x, and 
y and with one row for each step of the algorithm. 


For example, when a = 23 and b = 14, the table takes the form 


5. The Augmented Euclidean Algorithm 25 


d € U Vv x y 
23 14 0 1 0 1 
9 14 1 1 0 1 
9) 5 1 1 1 2 
4 5 3 2 1 2 
4 1 3 2 3 9) 
3 1 8 s) 3 ) 
2 1 13 8 3 ) 
] 1 18 11 3 5 


ending with the equations 1+ 18-14= 11-23 and 143-23 =5-14. 


One of the main facts of applied number theory is that the aug- 
mented Euclidean algorithm is quite practical, even when the input 
numbers are enormous. Thus, the solutions of (1) for any given pair 
of nonzero numbers a and b can be found with ease. However, this is 
true only after the algorithm is modified, as the Euclidean algorithm 
was modified in Chapter 4, so that it subtracts convenient multiples 
of the lesser from the greater: 

Input: Two nonzero numbers a and b 

Algorithm: 

Let d=a,e=b,u=0,v=1,2=0,y=1 
While d 4 e 
Let k= 1 
While d > 2ke or e > 2kd 
Multiply k by 2 
End 
If d > e, change d tod—ke, utou+ky, andvtov+kz 
Else change e to e— kd, x tokvu+ a, and y to ku+y 
End 
Output: Equations d+ ub = va and d+ xa = yb 


This “speeded up” version of the basic algorithm simply finds 
the largest power of 2, call it k = 2°, for which the basic algorithm 
will repeat the same step k times in a row, and performs these k 
steps all at once. In the example above, the speeded up algorithm 
produces the same calculation as the basic algorithm except that, 
at the end, instead of subtracting 1 from 4 three times in a row, 
the speeded up algorithm first subtracts it twice in a single step and 
then subtracts it once more. The effect in this case is simply to 
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skip the third line from the bottom in the table, which is scarcely an 
improvement in the computation. On the other hand, the speeded up 
algorithm is a huge improvement if at one point of the algorithm a 
step is encountered in which the smaller of d and e is much smaller, 
as is the case, for example, in the first step of the algorithm when it 
is applied to a = 1002 and b = 5. 


Exercises for Chapter 5 


Study Questions. 


1. (a) Find a multiple of 123 that is one more than a multiple of 
458, and find a multiple of 458 that is one more than a multiple of 
123, showing the working of the algorithm in full. 


(b) Find a solution of the simultaneous congruences + = 100 mod 
123 and x = 300 mod 458. 


(c) Find the smallest solution of these simultaneous congruences. 


2. (a) Show that if a and 6 are nonzero numbers and d is their 
greatest common divisor, then a solution (2, y) of d+xa = yb implies a 
solution in which x < b. (b) Show that there is at most one solution 
(x,y) in which x < 6b. [Reduce to the case d = 1 and regard the 
equation as a congruence mod 0.| 


3. Experience with the augmented Euclidean algorithm leads 
one to expect that the solutions of equations (1) it produces are the 
smallest possible ones, which is to say that c < band u <a. That this 
is indeed the case can be seen by restating the augmented Euclidean 
algorithm in the following way: 


Input: Two nonzero numbers a and 6 
Algorithm: 
Set u=x=Oandv=y=1 
While ¢ 4 =t¥ 


Utz 
If t < a sett-y=ut+yandr=viz 
Else seetu=u+yandv=vigz 


End 
Output: The equations d+ ub = va and d+ za = yb where d is the greatest 
common divisor of a and b 
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(In accordance with the definition of “number” in Chapter 1, the 


fractions @, UtY a ury 
vt+tz 


b> pan are not numbers. The statements > = and 
7 <= — are shorthand for the statements a(v + x) # b(u+ y) and 
a(u+a2) < b(u+y).) 

(a) Prove that this algorithm produces the same (finite) sequences 
of values of u, v, x, and y that the augmented Euclidean algorithm 
does. 


(b) Prove that if ru +1 = yu and if © is a fraction satisfying 
4 <4 < G, then g > v and q >. (This is the fundamental fact in 
the theory of Farey series. See, for example, [E1, p. 264].) 


(c) Use (b) to show that the final value of z is less than b and the 
final value of u is less than a. 


4. Given just one of the equations of (1), there is an easy way to 
determine the other. Find it. 


5. When a is relatively prime to b, the number v in (1) is called a 
reciprocal of a mod b. Explain. Thus, Exercise 3 of Chapter 4 states 
that if b is relatively prime to 6, then the reciprocal of 2 mod 6 is the 
sum of the reciprocal of 6 mod 6 and the reciprocal of 3 mod 0. 


6. How can a reciprocal of a mod 6 be used to solve a congruence 
of the form az = c mod 6 for x when a, b and c are nonzero numbers 
and a and 0 are relatively prime? 


7. Show that, when a and 0 are relatively prime, division by a 
mod b is possible in the sense that every congruence az = c mod 6 has 
a solution x for every c and that any two solutions x are congruent 
mod b. 


8. Exercise 3 implies that if a and b are relatively prime, then 
the number v, which is the reciprocal of a mod b, determines not only 
u= 1 but also x and y in equations (1). Thus, the entire output of 
the augmented Euclidean algorithm can be deduced from the solution 
of the congruence ax = 1 mod b. This can be accomplished by the 


following alternative algorithm: 


Let the problem be to solve ax = cmod b when a, b, and c are 
given numbers and a < b. (If a > b, use the algorithm that follows to 
find the reciprocal of b mod a, from which the reciprocal of a mod b 
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can be deduced.) Let ma be the least multiple of a that is greater 
than 6b. The desired x satisfies max = mc mod b, which is to say 
a,x = c, mod b, where a; = ma — b and cy = me. If a does not 
divide b, then a; < a and the new problem has the same form as the 
original problem, except that a is reduced. Repeated application of 
this reduction method must eventually reach a problem of this form 
in which a divides b. But ax = c mod ga has a solution if and only if a 
divides c, in which case the most general solution is x = = mod B (In 
particular, if a = 1, there is always a solution and the most general 
solution is x = c mod 0.) 


Express this method of solving ax = c mod b as a formal algo- 
rithm. 


Computations. 


9. Implement the augmented Euclidean algorithm on a computer 
and see for yourself how well it works even with numbers that have 
many, many digits. 

10. The number 200560490130 is the product 2-3-5-7-11----- 
29-31 of the first 11 prime numbers. For various large numbers, find 
their greatest common divisors with this number. What is the largest 
number m for which it is true that “a number with m digits that is 
relatively prime to 200560490130 is prime” ? 
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Chapter 6 


Simultaneous 
Congruences 


Theorem. Leta and b be relatively prime nonzero numbers. For any 
given numbers m and n, the simultaneous congruences x =m mod a 
and x = nmod 6 are equivalent to a single congruence x = k mod ab 
for some k. 


Proof. The assumption that a and 0 are relatively prime means that 
their greatest common divisor is 1, so the augmented Euclidean al- 
gorithm finds solutions of 1+ ub = va and 1+ 2a = yb. Then va = 
0 moda and va = 1 mod 8, while yb = 1 moda and yb = 0 mod 6. 
The simultaneous congruences x = mmoda and x = nmod 6 can 
then be solved simply by setting x = m- yb+n-va, because mod a 
this number is m-1+n-0=m and mod bitism-O0+n-l=n. 


Thus, the congruences have a solution for any given m and n. 
Since x = 2’ mod ab implies x = x’ moda and x = 2’ mod BJ, any 
number congruent to myb + nva mod ab is a solution, so there is a 
solution less than ab. 


It remains to show that there is only one solution less than ab. 
This follows from the observation that there is a solution less than ab 
of each of the ab problems x = m moda and x = n mod 6 in which 
m<aandn < b, so no two numbers less than ab can solve the same 
problem. L] 
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This theorem is the case | = 2 of: 


1. Let aj, ao,..., a, be nonzero 


The Chinese Remainder Theorem 
numbers with the property that a; anda; are relatively prime whenever 
1# 9, and let m1, mz, ..., m be given numbers. The simultaneous 
congruences 

x =m, mod a; (eS DD escape) 


have a solution, and any two solutions are congruent modajag--- Qj. 


Proof. Since a; and ag are relatively prime, the theorem above shows 
that there is a number k, with the property that the simultaneous 
congruences © = m, mod a, and x = mz mod ag are equivalent to 
the single congruence x = k,. Therefore, the three congruences ¢ = 
m,; mod a; for 1 = 1, 2, 3 are equivalent to the pair of congruences 
x = kj modajazg and tc = m3 modazg. The above theorem then 
shows that these two reduce to a single congruence of the form xr = 
ky mod a,az2a3 once it is shown that a ,a2 and az are relatively prime, 
which is a consequence of: 


Lemma. Ifa andb are both relatively prime to c, then ab is relatively 
prime to c. 


Proof of the lemma. The assumption that a is relatively prime 
to c implies that there is a solution (r,s) of 1+7rc = sa. In the 
same way, there is a solution (t,u) of 1+ tc = ub. Then the equation 
sa-ub = (1+ rc)(1+ tc) =1+(r+t-+rtc)c shows that no number 
greater than 1 can divide both ab and c. CL] 


Conclusion of the proof of the Chinese remainder theorem. It 
has now been shown that the first three congruences are equivalent to 
a single congruence x = ky mod a\a2a3 for some kg. Therefore, the 
first four are equivalent to just two congruences x = kg mod a ,a2a3 
and x = m4 mod ag, which are in turn equivalent to « = k3 mod 
a ,a2a3a4 for some kx because the lemma proves first that a, is rela- 
tively prime to a a2 and then that it is relatively prime to a,a2a3. 


1Closely related statements are to be found in ancient Chinese texts. 
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Continuing in this way, the given set of | congruences reduces 
to a single congruence x = kj_; mod a,a2:--a; for some kj_,. In 
particular, any two solutions are congruent mod aja2°:-- a). L] 


Exercises for Chapter 6 


Study Questions. 


1. The Introduction to Arithmetic of Nicomachus, a Greek work 
of the 2nd century, poses and solves the problem of finding a num- 
ber whose remainders when divided by 3, 5, and 7 are 2, 3, and 2, 
respectively. Find the most general solution. 


2. Show explicitly the correspondence the Chinese remainder 
theorem establishes between the numbers less than 35 and the pairs 
(m,n) of numbers in which m < 5 and n < 7. 


3. Counting arguments like the one in the proof of the theorem of 
this chapter are often imagined in terms of sorting letters (messages in 
envelopes, not items of the alphabet) into pigeonholes. If the “letters” 
are the numbers 0-34 and the “pigeonholes” are the pairs (m,n) in 
which m is one of the numbers 0-4 and n is one of the numbers 0-6, 
how many letters are there, how many pigeonholes, and how does 
this image show that the knowledge that each problem x = m mod 5, 
x = nmod 7 has a solution implies that that solution is unique for 
each pair (m,n)? 

4. Show that the word “nonzero” can be dropped from the state- 
ment of the Chinese remainder theorem (but that if any one a, is 
zero, the conclusion becomes trivial). 


5. If the requirement that a and b be relatively prime is dropped 
from the theorem at the beginning of this chapter, the conclusion 
becomes: (a) the simultaneous congruences x = mmoda and £ = 
nmod b have a solution if and only 4f m = n mod d where d is the 
greatest common divisor of a and b, and (b) if x is one solution, then 
x’ is a solution if and only if xc’ = x mod (ab/d). Prove (a) and (b). 

6. The simultaneous congruences x = m mod a and z = n mod 6 
can also be solved by setting x = ga+™m and solving the congruence 
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qa+m = nmodb for g. Apply this method to the solution of the 
simultaneous congruences x = 10 mod 14 and x = 20 mod 23. 


Computations. 


7. Pick two unrelated numbers a and 6 with 8 digits, and solve 
x = 10 moda and x = 20 mod 8, if possible, by the method of the 
text and by the method of Exercise 6. 


8. Pick large numbers a, b, and c and find all solutions (z, y) of 
ax + b= cy. 
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Chapter 7 


The Fundamental 
Theorem of Arithmetic 


Because the Euclidean algorithm is practical even for enormous num- 
bers, determining whether two given numbers are relatively prime is 
an easy problem, no matter how large the numbers may be. By con- 
trast, determining whether one given number is prime is much harder 
when the number is very large (see Chapter 11). Harder still is the 
problem that gives prime numbers their meaning, the problem of fac- 
toring a large number into its prime factors (see Chapter 12). In other 
words, the factorization that the theorem of this chapter proves exists 
may be extremely hard to find in practice. 


(Before the advent of modern computers, factoring a number with 
only six or seven digits could be a real challenge. Today’s software 
packages factor numbers with fifteen or twenty digits handily, but 
numbers with hundreds of digits can still be nearly impossible to 
factor.) 


A number is composite if it can be written as a product of two 
numbers, both of which are greater than 1. A number is prime if it 
is greater than 1 and is not composite. ‘Thus, the numbers 0 and 1 
are neither prime nor composite. 1 


‘Tn the past there has been some difference of opinion, but today mathe- 
maticians agree that 1 should not be regarded as prime. 
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Proposition. /[f a is prime and if bc = 0 moda, then either b = 
0 moda orc=0 moda. 


Proof. Suppose bc = 0 moda but neither b = 0 moda nor c = 
0 mod a, and let d be the greatest common divisor of a and b. The 
condition b 4 0 mod a implies that d # a. If d were 1, the augmented 
Euclidean algorithm would give an equation 1+ ua = vb and multipli- 
cation by c would give c+uac = vbc, from which c+uc-0 = v-0 mod a 
would follow, contrary to assumption. Therefore, the equation a = 
d- % shows a is not prime. il 


The Fundamental Theorem of Arithmetic. Every number greater 
than 1 can be written as a product of prime numbers. If two products 
of prime numbers are equal, say 


P1P2°°'DPm = 9192°°° Qn 


where pi, P2,.-., Pm and qi, G2, --. 5 Qn are all prime numbers, then 
m =n and the two lists p,, po, ... ; Dm and qi, 92, --- 5, In Of primes 
are the same, except that they may be ordered differently. 


Proof. Let a number a > 1 be given. If a is not prime, it is composite 
and so can be written a = bc where b and c are both greater than 
1. If either 6 or c is not prime, it can be written as a product of 
two numbers both greater than 1, and the process can be continued, 
writing a as a product of more and more factors greater than 1, as long 
as any one of the factors is not prime. This process must terminate 
with a representation of a as a product of primes before it has been 
repeated a times, because a product of a factors each of which is 
greater than 1 must be’ greater than a. 


Two representations p1p2---DPm = 9192°°* Qn of the same number 
as a product of primes must be the same, except for the order of 
the factors, as can be seen in the following way. Since the greatest 
common divisor of p; and q1q@2---@n is pi > 1, the lemma of Chapter 6 
implies that the greatest common divisor of p; and q; must be greater 


2This statement is clearly true for a = 1. If it is true for some a > 0, then 
it is true for a+ 1 because a product of a+ 1 such factors is a number that is at 
least 2 times a number greater than a, so it is greater than 2a =a+a>a+l. 


Exercises for Chapter 7 35 


than 1 for at least one of the prime factors q; on the right. By the 
definition of a prime number, the only divisor of p; greater than 1 
is pj, and the same is true of qg;, so the greatest common divisor of 
p, and q; can be greater than 1 only if pj = q;. In short, p; must 
occur among the factors q; on the right. Rearrange these factors, 
if necessary, to make py = q,. The original equation then becomes 
P1P2°**Pm = P1g2°°:Gn- Since m > 1 if and only if this number is 
greater than p,, m > 1 if and only if n > 1. When this is the case, 
the same argument can be applied to pop3 --- Pm = 9293°°* Qn to show 
that the q’s can be rearranged to make q2 = pg and that m > 2 if 
and only if n > 2. Repetition of this argument m times completes 
the proof of the theorem. OJ 


Exercises for Chapter 7 


Study Questions. 


1. Find newspaper articles about the factorization of very large 
numbers and how certain large numbers have been factored by parcel- 
ing out the problem in a sophisticated way to many computers col- 
laborating over the worldwide web. 


2. Prove using the fundamental theorem of arithmetic that no 
number A that is not a square can have a rational square root. (In 
particular, restate this proposition in a way that does not use “ratio- 
nal numbers.” ) 


Computations. 


3. Modern computers are so fast that one can actually factor 
numbers of 10 digits reasonably quickly by brute trial divisions. Im- 
plement the following algorithm for doing this and try it out on some 
large numbers: 


Input: A number n 
Algorithm: 
t=0 
m=1 
While m2 <n 
m=m+1 
q=0 
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While n > (q+1)m 


q=qtl 
End 
Ifn =qmthent=1 
End 


Output: If t = 0 then n is prime, else m is the least prime factor of n 


4. Speed up the algorithm in Exercise 3 by starting with m = 0 
and incrementing it by 2 at each step, except that if that incremen- 
tation makes it 4, subtract 1 from the result. Do empirical tests to 
see how effective this modification is in speeding up the algorithm. 


5. Further speed up the algorithm of Exercise 3 by replacing the 
middle “while” loop by a while loop that, instead of adding 1 to q 
until it no longer satisfies n > qm, adds to qg the largest power of 
2 that preserves n > qm. Again, test empirically how effective this 
modification is. 
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Chapter 8 


Exponentiation and 
Orders 


Given two nonzero numbers a and b, a to the power b, denoted a’, is 
by definition the number obtained by multiplying a by itself b times. 
In everyday experience, raising numbers to powers is difficult for the 
superficial reason that the answer is normally a very large number, so 
the mere statement of the answer is cumbersome. But for any given 
c the congruence a? = x mod c has a solution z no larger than c, and 
there is a simple and altogether practical algorithm for finding it: 


Input: Nonzero numbers a, b, c 


Algorithm: 
Seta = 1 y= 4,20 
While z > 0 
If z = 0 mod 2 
a= 2/2 
y=y 
Reduce y mod c 
Else 
aa | 
r= ry 
Reduce x mod c 
End 
Output: zx 


As in the case of the augmented Euclidean algorithm, the working 
of the algorithm can be seen from a table with one column for each 
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of the numbers z, y, and z and with one row for each step of the 
algorithm. For example, the computation of 29° mod 91 ist shown by 


x y z 
1 2 90 
1 4 A5 
4 4 44 
4 16 22 
4 74 11 
23 74 10 
23 16 O 
4 16 4 
4 74 2 
4 16 1 


64 16 0 


with the conclusion that 29° = 64 mod 91. (As the table indicates, 
167 = 74 mod 91, 4-74 = 23 mod 91, 747 = 16 mod 91, and 23-16 = 
4 mod 91, which are easy computations. The other computations are 
evident.) 


At each step, z is decreased—either 1 is subtracted from it, or it 
is divided by 2. Therefore, the algorithm must eventually reach z = 0 
and terminate. Each step leaves the value of zy* modulo c unchanged 
because 2(y”)*/* = xy” mod c (in the case of steps that divide z by 2) 
and zyy*! = xy* mod c (in the case of steps that reduce z by 1) 
until? z = 1. Therefore, at the next-to-last step, ry+ is congruent 
mod c to 1-a° and on the last step x itself becomes congruent mod c 
to a°. In other words, the output z is indeed congruent to a? mod c. 


The fact that a® mod c can be computed is not a mere curiosity 
but an extremely useful tool. (See Chapter 11, for example.) A big 
part of its usefulness is connected with the solution of: 


1Note the violation of the rule stated in Chapter 3 that “mod 91” is mean- 
ingful only in conjunction with a = sign. Here “mod 91” is used instead in 
conjunction with the word “computation.” The computation does not find 29° 
itself but only finds it mod 91—it is a “computation mod 91.” 

2Note that y” is not always defined when z = 0. See Exercise 1. 
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Problem. Given numbers a and c, both greater than 1, determine 
all solutions b > 0 of a® = 1 modc. 


Proposition. This problem has a solution b if and only if a is rela- 
tively prime to c. When it has a solution, every solution is a multiple 
of the smallest solution. 


Proof. Ifthe problem has a solution, say a? = 1 mod c, then a?+sc = 
1+ te for some numbers s and t. Since a° is a multiple of a, the 
equation a° + sc = 1+ tc shows that 0 = 1 mod [a,c] which means 
that a and c are relatively prime. 


For the proof of the converse, assume a and c are relatively prime 
and consider the first c+ 1 powers a, a”, a®, ... , a°*+ of a. Each of 
these c+ 1 numbers is congruent mod c to one of the c numbers less 
than c. Therefore, at least two of these powers a’? must be congruent 
mod c to the same number less than c and therefore must be congruent 
to each other mod c. In this way one can find nonzero numbers k and 1 
such that a* = a! mod cand k < |. Since a and c are relatively prime, 
the augmented Euclidean algorithm gives a solution of 1 + uc = va. 
Multiplication of a* = a! mode by v* gives (av)* = a'v* mod c, 
which is to say (av)* = a'~*(av)* mod c, or simply 1 = a'~* mod ¢, 
so the problem has the solution b=/1—k > 0. 

Finally, if b; and bo are solutions, then their greatest common 
divisor, call it 63, is also a solution, because b3 + wb; = uvb2 for some 
numbers u and v, which implies a’? = a®3-1% = a3 -(a°1)¥ = (a°2)” = 
1 mod c. Thus, if 6; is the smaller of the two solutions b; and bg, and 
if bp is not a multiple of b;, there is a third solution smaller than }j. 
In other words, given a solution, trying all smaller numbers either 
produces a smaller solution or proves that the only solutions are the 
multiples of the given one. L 


Definition. Whena and c are relatively prime nonzero numbers, the 
order of a mod c is the smallest solution b of a® = 1 modc. 


The proposition states that the solutions b > 0 of a? = 1 modc 
are the nonzero multiples of the order of a mod c. 


AQ Higher Arithmetic 


Problem. Given relatively prime nonzero numbers a and c, find the 
order of a mod c. 


The proof of the proposition shows that the order of a mod ¢ is 
at most c, so the order can be found by computing a° mod c for all 
numbers b < c. The order of amodc is simply the smallest b for 
which the answer is 1. If c is very large, however, this approach to 
the problem involves far too much calculation to be practical. 


The solution of this problem can be extremely difficult in some 
cases, but in other cases it is easy because of a few simple rules that 
are obeyed by the orders of numbers for a given c. These rules are 
the subject of the next two chapters, but before you go on to these 
chapters, you should do lots of examples of small values of c and see 
if you can discover the rules for yourself. 


Exercises for Chapter 8 


Study Questions. 


1. The definition of a’ requires that a and b both be greater 
than 0. How would you define it in the case a > 0 and b = 0? In 
the case a = 0 and b > 0? How would you define 0°? (Note that 
the explanation of the algorithm in the text would be made a little 
simpler if it used the definition of a? in the case b = 0, a £0.) 


Computations. 


2. Find the orders mod 13 of all numbers a < 13 that are rela- 
tively prime to 13. 

3. Answer the preceding question for a few numbers other than 
13. 

4. Find 21° mod 11, 22° mod 21, 2°° mod 31, 24° mod 41, 2°° mod 
51, 2©° mod 61, 27° mod 71, 28° mod 81, 2°° mod 91, and 218° mod 
101 using the above algorithm. You may notice some regularities and 
near-regularities. 

5. Using a programmable calculator and the algorithm of the 
text, find a? mod c for some 3-digit numbers a, b, and c. 
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6. Some of the exercises in the following chapters will require 
computing a? mod c for some very large numbers a, b, and c. (Many 
software systems, including UBASIC, have built-in capabilities for 
doing such computations. However, programming the algorithm for 
yourself will give you a better understanding of it.) Compute some 
examples in which a, b, and c have 10 digits. 
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Chapter 9 


Euler’s ¢-Function 


For a positive number c, the number of positive numbers less than or 
equal! to c that are relatively prime to c is called phi of c, written? 
o(c). It is often called Euler’s ¢-function in honor of the great 18th- 
century mathematician Leonhard Euler. It plays a central role in 
determining the orders of numbers mod c. 


The values of ¢(c) for small values of c are easily found. For 
example, 


c bc) ¢ oe) ec oe) ¢ $e) © $c) 
1 1 11 10 21 12 31 30 41 40 
2 1 12 4 22 10 32 16 42 12 
3 2 13> 42 23 22 33 20 A3 42 
4 2 14. 6 24 8 34 16 44 20 
5 4 15 8 20 620 35 24 A5 24 
6 Z 16 8 26 12 36 612 46 22 
7 6 17 16 27 18 37 =636 47 46 
8 4 18 6 28 12 38 18 AS 16 
9 6 19 18 29 28 39 24 49 42 
10 4 20 8 30 8 40 16 50 20 


1(c) could also be described as the number of positive numbers less than c 
and relatively prime to c, except that this definition would make ¢(1) = 0, and it 
is universally agreed that ¢(1) should be 1. 

2 is the Greek letter phi. 
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Study these values of ¢(c) to find the patterns they follow and 
extend the table up to c = 100 using the insights gained. 


For example, as is clear from the definition, ¢(c) = c—1 when c is 
prime. Thus, the value of ¢(c) can easily be filled in for all the prime 
numbers 53, 59, 61, ... between 50 and 100. Also, a comparison of 
the values of ¢(c) and ¢(2c) gives a simple (but perhaps surprising) 
relation between the two; the answer depends on whether c is even 
or odd. Similarly, there is a simple relation between ¢(c) and ¢(3c) 
that depends on whether c is divisible by 3. A similar relation holds 
between ¢(c) and ¢(pc) for any prime number p. Once this is known, 
the value of ¢(c) for any c can easily be found for any number c whose 
factorization into primes is known. 


Exercises for Chapter 9 


Study Questions. 


1. The following rule was hinted at in the chapter. Prove that it 
is correct: 


Proposition. If p is prime and c is any number, then (pc) = pd(c) 
if p divides c and otherwise $(pc) = (p — 1)¢(c). 


[Write numbers less than pc in the form gc +r where q < p and 
r <c and determine which of them are relatively prime to pc.| 


2. From the proposition in the previous question, deduce: For 
any number c, d(c) = c(1— Zo) (i — =) --(1- =) where p1, p2,---; 
py are the distinct prime factors of c. Show how this formula applies 
in the case of several entries in the table of values of ¢(c). Explain why 
this formula, despite its appearance, does not really involve fractions. 


3. Find (60) using the formula of question 2 and list explicitly 
the numbers less than or equal to 60 that are relatively prime to 60. 
(By the way, which, if any, of these (60) numbers are composite?) 


4. Prove that if m and n are relatively prime, then ¢(mn) = 


o(m)o(n). 
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Chapter 10 


Finding the Order of a 
mod c 


The key to the solution of the problem of determining the order of 
a mod c when a and ¢ are given relatively prime numbers is the ob- 
servation that multiplication by a permutes the numbers counted by 
d(c) in a very special way. 

For example, mod 8, multiplication by 3 permutes the 4 numbers 
1, 3, 5, 7 counted by ¢(8) in the following way: 1» 3, 3% 1 
(= 3-3mod 8), 5 » 7 (= 3-5mod8), 7» 5 (= 3-7 mod 8). 
The shorthand way to describe this permutation of 1, 3, 5, 7 is as 
(13)(57). The same shorthand describes the permutation of 1, 3, 5, 7 
effected by multiplication by 5 mod 8 as (15)(37) and the one effected 
by multiplication by 7 mod 8 as (17)(35). 


Multiplication by 2 mod 5 effects the permutation 1 +> 2h+ 41> 
3++ 1 of the four numbers counted by ¢(5), for which the shorthand 
is (1243). Similarly, the permutation of the 6 numbers counted by 
o(7) effected by multiplication by 4 mod 7 is abbreviated (142)(356), 
the permutation of the 6 numbers counted by ¢(9) effected by mul- 
tiplication by 2 mod 9 is abbreviated by (124875), and the permuta- 
tion of them effected by multiplication by 7 mod 9 is abbreviated by 
(174)(258). (In each case, the number to the right of a number is 
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its image under the permutation, except when there is no number— 
but a right parenthesis—to the right of the number, in which case 
the image under the permutation is the number to the right of the 
corresponding left parenthesis. ) 


This notation for permutations runs into trouble when the things 
being permuted include numbers with two digits. For example, multi- 
plication by 2 mod 15 carries 1 +» 24+ 8+ 1 =2-8 mod 15 and 
carries 7+ 14+ 138 =2-14mod 15+ 11 = 2-13 mod 15. A short- 
hand way to describe this permutation is to let A, B, and C' stand for 
the 2-digit numbers 11, 13, 14, respectively, that are relatively prime 
to 15 so that the permutation can be written (1248)(7CBA). Mod 
13, the objects being permuted can be written 1, 2, 3, 4, 5, 6, 7, 8, 9, 
D=10, £=11, F = 12. Multiplication by 2 mod 13 then gives the 
permutation (124836F'£95D7), multiplication by 5 mod 13 gives the 
permutation (15F'8)(2DE3)(4796), and so forth. 


Theorem. The permutation of the numbers counted by $(c) that is 
effected by multiplication by amodc, where a is any one of them, 
partitions them into cycles of equal length. 


(Multiplication by 1 mod c is the identity, which can be regarded 
as the permutation that partitions the numbers counted by ¢(c) into 
d(c) cycles of length 1.) 


In other words, in the shorthand way of writing permutations 
that is described above, the ¢(c) numbers being permuted are writ- 
ten as sets of equal size between parentheses, such as (174)(258) or 
(124875) or (15F'8)(2DE3) (4796). In particular, $(c) is a product of 
two factors—the number of cycles times the number of items in each 
cycle. 


Proof. Let c > 0 be given, and let a be a given number relatively 
prime to c. For any 0b relatively prime to c, the orbit of b under 
multiplication by a modc is the set of numbers less than c and 
relatively prime to c that are congruent to b- a’ mod c for some ?. In 
terms of the above shorthand for permutations, the orbit of b under 
multiplication by a mod c is simply the set of numbers included in 
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the parentheses that include 6. The theorem states that these orbits 
all have the same size. 


The theorem will be proved by showing that for any 6 the length 
of the orbit of b is the order of a mod c, so the length of the orbit of 
6 does not depend on b. 


The orbit of 6 under multiplication by a mod c clearly contains 
at most r distinct numbers, where r is the order of a mod c, because 
b = ba” = ba?” = ba®” = --- modc and, more generally, any two 
numbers in the list b, ba, ba”, ba®, ... that are r steps apart are 
congruent mod c. 


What is to be shown, then, is that ba’ 4 ba’tJ mod c whenever 
0O<i<j<_pr. Ifthis statement were false, there would be a number k 
in the range 0 < k <r for which ba’ = ba’t® mod c. But ba* = ba*t* 
is impossible for 0 < k < r because a and b are both relatively prime 
to c, so one would be able to multiply this congruence once by the 
reciprocal of b mod c and 7 times by the reciprocal of a mod c to find 
1 = a* mod c, which would be contrary to the definition of r as the 
smallest positive solution of a” = 1 mod c. C 


Corollary. If a is relatively prime to c, then a? =1modc. Oth- 
erwise stated, the order of amod c divides $(c). 


Deduction. Say that multiplication by a mod c is a permutation 
that consists of e cycles, each of length f. Since f repetitions of a 
cyclic permutation of length f returns each item to its original place, 
f repetitions of multiplication by a mod c is the identity. In other 
words, af = 1 modc. Therefore, a?) = a®f = (af)* = 1° = 1 mode, 
as was to be shown. L] 


Problem. Given relatively prime nonzero numbers a and c, find the 
order of amod c. 


In practice, the solution of this problem can be difficult, but it is 
easy if d(c) can be factored into primes because then the factors of 
oé(c) can be enumerated and the order of a mod c can be determined 
by a few simple tests. 
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Specifically, it is known that a?) = 1 mod c and the question is 
whether any factor of é(c) smaller than ¢(c) has this property. If so, 
then some number of the form ¢(c)/p, where p is a prime factor of 
é(c), must have the property, because every factor of ¢(c) less than 
o(c) divides a number of this form—it leaves out at least one prime 
factor of ¢(c). Thus, one tests whether a?‘°/P = 1 mod ¢ for each 
prime factor p of ¢(c). If this congruence is not satisfied for any 
prime factor p of ¢(c), then ¢(c) is the order of amodc. But if a 
prime factor p of ¢(c) is found for which a?‘°)/? = 1 mod c, one can 
then begin trying exponents which are ¢(c)/p divided by one of its 
prime factors, and so forth. Eventually (and usually rather soon) one 
will find a factor f of ¢(c) for which af = 1 mod c but a//? #1 mod c 
for each prime factor p of f. This f is the order of a mod c. 


Traditionally, the fundamental fact of elementary number the- 
ory expressed by the corollary has the unsatisfactory name “Euler’s 
generalization of Fermat’s theorem.” ‘The case in which c is prime 
is “Fermat’s theorem” itself. That is, Fermat’s theorem is the state- 
ment that a?~! = 1 mod p when p is prime and a # 0 mod p. Or, 
better, “Fermat’s theorem” is the congruence obtained by multiply- 
ing a?~' = 1 modp by a so that the statement is also true when 
a =0 mod p: 


1 


Fermat’s Theorem’. If p is prime, then a? = a mod p for all num- 


bers a. 


Exercises for Chapter 10 


Study Questions. 


1. Reconsider the computations in Exercise 4 of Chapter 8. 
Which of the numbers 11, 21, 31, 41, 51, 61, 71, 81, 91 are prime? 


2. Fermat’s theorem can be regarded as a statement about bino- 
mial coefficients. Construct Pascal’s triangle showing the coefficients 


1Tt has become fashionable in recent years to call this theorem “Fermat’s 
Little Theorem.” It is a crucial fact of elementary number theory and should not 
be belittled. 
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in the expansion of (a+0)” for n = 2, 3,... , 8. For these values of n, 
which of them are divisible by n? (a) Formulate what you find in the 
case of prime exponents as a congruence involving (a+ b)? when p is 
prime. (b) Prove this congruence. (Hint: The formula for binomial 
coefficients as fractions in which numerator and denominator involve 
factorials is useful.| (c) Deduce Fermat’s theorem from it. 


3. The formula z* —1 = (w—1)(2*-!+a*~-2+.---+2+4+1) proves 
that 2" — 1 is composite whenever n is composite. (For example, 2'° 
has the factorization (2° — 1)(21° + 2° + 1).) If n is prime, 2” — 1 
may be, and often is, prime. Such primes are called Mersenne primes. 
They are a popular topic because they are so easily proved to be prime 
(when they are prime). Use the corollary of this chapter to prove that 
if n is prime and if p is a prime factor of 2” —1, then p=1 mod n. 
Moreover, to determine whether p divides 2” — 1, one only needs to do 
the simple computation of 2” mod p. Clearly 2? — 1 = 3, 2? -1=7, 
2° — 1 = 31 are all prime. That 2’ — 1 = 127 is prime follows from 
the above ideas without computation. Use these ideas to determine 
whether the next few numbers 2”—1 for n = 11, 13, 17,... are prime. 


Computations. 


4. (a) Find the permutation of the numbers less than 25 and 
relatively prime to 25 that is effected by multiplication by 4 mod 25. 
(Use the letters a, b, c, d for 11, 12, 13, 14, the letters e, f, g, h for 
16, 17, 18, 19, and the letters i, 7, k, | for 21, 22, 23, 24.) (b) Find 
the permutation that is effected by multiplication by 2 mod 25. (c) 
Show that the answer to (a) is the square of the answer to (b). (d) 
What is the square of the answer to (a)? (e) What is the square of 
the answer to (d)? 


5. For large relatively prime numbers a and c, find the order of 
amodc. For a start, you might try finding the orders of 99, 100, 
and 101 mod 221, but you can also answer the question for numbers 
with several digits, using a computer to do exponentiations and fac- 
torizations. (For factorizations, use the program in the exercises of 


Chapter 7.) 
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Chapter 11 


Primality Testing 


Fermat’s theorem has the surprising corollary that a number can be 
proved to be composite without any investigation of its factors. For 
example, as was shown in Chapter 8, 29° = 64 mod 91. The theorem 
of the last chapter proves that if 91 were prime, 2°° would be 1 mod 
91, so 91 must be composite. Of course, 91 is more easily proved to 
be composite by giving the explicit factor 7, but for very large odd 
numbers n it is usually easier to compute 2.~! mod n than it is to 
look for factors. 


For example, many trial divisions are necessary to find the prime 
factorization of 1022117, but the relatively simple computation of 
21022116 — 467183 mod 1022117 is all that is needed to determine 
that 1022117 is composite. 

In the same way, computation of 31°77! = 537878 mod 1022117 
proves that 1022117 is composite, as does computation of a!°?211© mod 
1022117 for any number a for which a!9?71!® ¥ 1 mod 1022117. A sin- 
gle a for which a"~! 4 1 mod n suffices to prove that n is composite. 


Primality Test. Given a number n, choose a number a in the range 
1<a<_n and compute a"! modn. If the result is not 1 mod n, 
then n is composite. 


o2 Higher Arithmetic 


This test is incomplete in the sense that it may not determine 
whether n is prime. It tests the primality of n in the sense that hard- 
ship tests a person’s character. Hardship may prove that character 
is lacking, and the above test may prove that a number is not prime, 
but a person of poor character may withstand hardship and a number 
may pass the test without being prime. If one only needs to make a 
highly reliable guess as to whether a given number is prime, this test 
is very useful because experience shows that most composite numbers 
are proved to be composite by just one test of this type; a number 
that is not proved composite by a half a dozen or so such tests is very 
likely not composite—which is to say that it is probably prime. 


Again, the test can prove that a number is composite, but it can 
never prove that a number is prime. 


Another way to describe the situation is to say that a’~+ = 
1 mod n is a necessary condition for n to be prime. It is a strong 
necessary condition in the sense that relatively few composite num- 
bers go undetected by it, but it is not a sufficient condition; many 
examples do exist of pairs of numbers a and n in which n is composite, 
1<a<n, and a”!=1modn. 


The test is greatly strengthened by the following simple observa- 
tion: 


Lemma. If p is prime and if x is a number satisfying x? = 1 mod p, 
then either x = 1 mod p or x = —1 mod p. 


Proof. Because x? = 1 mod p, z 4 0. Therefore, x — 1 is a number 
and the product (x — 1)(x + 1) = x? — 1 is divisible by p. Since p is 
prime, p divides at least one of the factors on the left, as was to be 
shown. LC] 


Since there is never any doubt about whether an even number is 
prime, the above test can be strengthened to: 


Primality Test. Given an odd number n, choose a number a in the 
range 1 <a <n and compute a\—))/2 mod n. If the result is not 
+1 mod n, then n is composite. 
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This revised test is not only simpler in the sense that it calls 
for raising a to a lower power, it is also stronger in the sense that 
it catches some composite numbers that elude the first test. For 
example, 3°29 = 4509 mod 6601 so 6601 is composite, even though 
30600 — 1 mod 6601. 


The lemma leads to an even stronger test in many cases, because 
when a'"-))/2 = 1 mod n and ™5+ is even, one knows that a'"~1)/4 
must be +1 mod n if n is prime. Moreover, if a("—)/4 is found to be 
1 mod n and if ">" is even, then a'"-)/® must be +1 mod n if n is 
prime, and so forth. 


When this method is applied to n = 6601 with a = 2, one finds 
first 23399 = 1 mod 6601, which leads one to compute 2'®°9 mod 6601. 
Since in fact 21©°° = 4509 mod 6601, 6601 is composite (as was found 
above using a = 3 instead of a = 2). 


The primality test that follows from these observations, which is 
called Miller’s test, is described by the following algorithm: 


Miller’s Test for Base a. 


Input: n, a (1 <a<n and n is odd) 


Algorithm: 
aan | 
e=(n—1)/2 
While t = 1 


Compute u = a® mod n 

If u = —1 mod n then t = 0 

Elseif u = 1 mod n and e is even then e = e/2 
Elseif u = 1 mod n then t = 0 


Else t = 2 
End 
Output: If t = 2 print “n is composite” else print “n passes Miller’s test for 
the base a” 


For n to pass Miller’s test (for t to become 0), n must satisfy one 
of two conditions: 


(1) the congruence a(-1)/2" = —1 mod n holds for some i > 0 
for which 2° divides n — 1, or 


(2) a(™—-1)/2" = 1 mod n when i is the number of times 2 divides 
n—l1. 
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Otherwise, there is an even exponent m for which a” = 1 mod n 


and a™/? # +1 mod n, so n must be composite. 


(Note that Miller’s test never asks whether a"~! = 1 mod n. If 
this condition fails, then (1) or (2) must fail.) 


Fact: The number 3215031751 = 151 - 751 - 28351 is the only 
composite number less than 2.5 x 10!° that passes Miller’s test for 
all of the bases 2, 3, 5, and 7. Miller’s test for base 11 proves it is 
composite. 


Considering the number of composite numbers less than 2.5 x 
10/°, this fact shows how strong Miller’s test is, even though a com- 
posite number can occasionally slip by it undetected. 


Exercises for Chapter 11 


Study Questions. 


1. Does it make sense to take the base a in Miller’s test to be a 
prime? 

2. If (n —1)/2 is even and a'~-))/? # +1 mod n, Miller’s test 
requires computing a"~1)/4 mod n. If it had been known at the out- 
set that a"~-1)/4 would be needed, it would have been more effi- 
cient to compute it first and then to find a‘"~))/? mod n by squaring. 
For this reason, Miller’s test is often performed by first computing 
a\"-1)/2" mod n where i is the number of times that 2 divides n — 1 
and repeatedly squaring to find a(~)/2"* mod n, a(®-)/2"~* mod n, 

, a'’-D/2 mod n. Express this test in the form of an algorithm 
like the one in the text. 


Computations. 


3. The number 12801 is composite because it is divisible by 3. 
Miller’s test for the base 2 and Miller’s test for the base 5 both prove 
it is composite, but both require rather a lot of computation. Do the 
computations. 


4. Choose a 3-digit number xxx, and for each odd number n be- 
tween xxx00 and xxx90, use an implementation of the exponentiation 
algorithm to compute 2‘"-))/2 mod n. If the answer is not +1 mod n 
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(remember that —1 does not appear as —1 but as n — 1 in the out- 
put of the exponentiation), then n is composite. In all likelihood, 
a number of values of n will remain. For each of them, complete 
Miller’s test for the base 2. (It is already complete if nat is odd or 
if 2-D/2 = —1 mod n.) Some values of n will probably remain. For 
each of them, try to prove they are composite by using Miller’s test 
for the base 3 and the base 5. (It is unlikely that this will succeed, 
because composite numbers that pass Miller’s test for the base 2 are— 
especially in this range—rare.) Finally, use a factorization program 
(feasible in this range) to verify that the remaining numbers are all 
prime (or—very unlikely—to identify a composite number that passes 
Miller’s test for the bases 2, 3, and 5). 


5. Try to find, by trial-and-error, a composite number n that 
passes Miller’s test for some base a. (Not easy. In fact, there is little 
hope of success without using a computer to try hundreds of cases. 
As the case of 3215031751 suggests, a good way to proceed is to look 
for a number n that is proved composite by Miller’s test for one base 
a but passes the test for another base.) 
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Chapter 12 


The RSA Cipher 
System 


In this information age, everyone understands that all forms of infor- 
mation, from recorded sounds to pictures of distant galaxies, can be 
expressed as sequences of zeros and ones—that is, as numbers. It is 
natural, therefore, to restate the problem of encoding and decoding 
messages—which we normally think of as sequences of letters—as the 
problem of encoding and decoding numbers. 


Specifically, let the problem be imagined in the following way: We 
are at one end of a phone line, and we are eager to know a number 
that is in the possession of the person, call him Deep Throat, at the 
other end of the line, but we are convinced that numbers sent over 
the line can be monitored by other parties who are as eager to know 
the number as we are to keep it secret from them. For the sake of 
definiteness, let us say that the secret number has 99 digits. 


The RSA system, invented in 1978 by R. L. Rivest, A. Shamir, 
and L. M. Adleman, gives us the following way to accomplish our 
goal: 


We first find two 51-digit prime numbers; call them p and q. This 
is a substantial computation, but a relatively easy one using Miller’s 
test and a computer program capable of adding and multiplying very 
large integers. We will just pick a 51-digit number that is not divisible 
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by 2, 3, or 5 and apply Miller’s test for the bases 2, 3, and 5. If 
the tests show it is composite, we will add 30 and try again. Soon, 
experience shows, we will find a number that passes these three tests. 
Chances are, it is prime, but, for safety’s sake, we will apply Miller’s 
test for several other bases a, before deciding to choose this number 
as p. We will follow the same procedure to choose q, another 51-digit 
prime that will resemble p in no other way. 


Next, we will compute the product of p and gq; call it n. This n 
will have 100 or 101 digits. (Since p and q are between 10°? and 10°?, 
their product is between 10/°° and 10/97.) We will keep p and q as 
our most carefully guarded secret, but we will send n to Deep Throat 
over the phone line that connects us. We will also send him another 
100 digit number e chosen at random subject to the sole condition 
that it be relatively prime to ¢(n). 


(We know ¢(n) because 


b(n) = o(pq) = O(p) O(a) = (p—-1)(q-1)=n-p-—qr+l. 


Thus, we can quickly determine whether any given e is relatively 
prime to ¢(n) using the Euclidean algorithm.) 


Our instruction now to Deep Throat is: Take the secret number, 
call it P (it is the “plain text”), raise it to the power e mod n, say 
C = P* mod n (C is the “cipher text” or “code text”), and send us 
C' over the phone line. 


We don’t care that our adversaries can intercept the number C'—- 
just as they could have intercepted n and e—because in their igno- 
rance of p and q they can’t do what we will do to find the secret 
number P, which is to use the augmented Euclidean algorithm to 
find a reciprocal of e mod ¢(n), say re = 1 mod ¢(n), and to raise C 
to the power r mod n. The resulting number—assuming, of course, 
that it is reduced mod n—will be the secret number! 


That is: 


Proposition. If p and q are distinct primes, if n = pq, and if re = 
1 mod ¢(n), then (P°)” = P mod n. 
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Proof. To prove P*’ = Pmodn, it will suffice (by virtue of the 
Chinese remainder theorem) to prove that P*" = P mod p and P* = 
P mod q. Since the conditions are symmetric in p and q, it will suffice 
to prove just P* = P mod p. 

The congruence P®*" = P mod p: is obviously true when P = 
0 mod p. When P # 0 mod p, Fermat’s theorem implies P?~! = 
1 mod p. When s is defined by re = s¢(n) + 1, one finds then that 
Pre = pert) =. pee) Ge!) Pe (pr ee PS a P= 
P mod p, which completes the proof. C 


Note that a slight modification of the proof shows that re = 
1 mod ¢(n) implies P"’ = P mod n whenever n is a product of dis- 
tinct primes, even when there are more than two of them. If we are 
mistaken and the n = pq we have chosen is not the product of two 
primes p and q, it will still very likely be true that re = 1 mod ¢(n) 
implies P"™’ = P mod n (it is very unlikely that p or g would have a re- 
peated prime factor), but it will not be true that ¢(n) = (p—1)(q—-1), 
so the reciprocal r of e mod (p— 1)(q —1) that is easy for us to com- 
pute will not in fact be the reciprocal of e mod ¢(n) that is needed to 
find P. Therefore, the system will not work if either p or q fails to be 
prime. If we had the bad luck to have chosen, despite our precautions, 
a value that was not prime, the message we received would be gar- 
bled, and we would need to try again with a new p and a new q. If the 
situation is so critical that there can be no second chance, we would 
need to use more—and more sophisticated—tests of the primality of 
p and q. 

The real question is whether our assumption is correct that our 
adversaries won’t be able to find the magic number r we used to 
decode the message. We were able to find it using the augmented 
Euclidean algorithm because we knew the prime factors p and q of 
n and therefore knew ¢(n). Our adversaries could do the same if 
they could factor n, but it is generally believed that this factorization 
problem, though of course it can be solved in principle, is extremely 
difficult and requires an enormous investment on the part of anyone 
trying to intercept the message. The needed investment can be in- 
creased by increasing the sizes of p and q or by adding a second level 
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of encryption—that is, by first transmitting as a secret number the 
code that will be used to transmit the actual secret number. 


(Note that knowing ¢(n) is virtually the same as knowing the 
factorization n = p-q of n because p and gq are the roots of the 
quadratic polynomial (x — p)(x — q) = 27 — (p+ q)a4+ pq = 2? — 
(n — d(n) + 1)x +n and can therefore be found using the quadratic 
formula—square roots are easy—once n and ¢(n) are known.) 


If anyone has secretly devised a method of finding r given n and e 
without the huge investment that is generally believed to be necessary, 
the secret is well guarded. 


Warning: Cryptography is not pure mathematics; codes are of- 
ten broken using subtle clues that are unrelated to the mathematical 
problem the code poses. This book is not the place for an examination 
of such subtleties. 


Exercise for Chapter 12 


Let the secret number be P = 1234567890987654321. Use Miller’s 
test and trial-and-error to find two (very probably) prime numbers p 
and q with ten digits. Use trial-and-error to find a 15-digit number e 
relatively prime to ¢(pq) = (p—1)(q—1). Momentarily take the role 
of Deep Throat—who is given the values of e and n = pq (but not of p 
and q)—-and compute C = P* mod n. Then satisfy yourself that you 
can find P = C” mod n by using your knowledge of the factorization 
of n to determine the needed r. 
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Primitive Roots mod p 


By Fermat’s theorem, the order mod p of any a that is relatively 
prime to p divides p — 1. In particular, p — 1 is the largest possible 
order mod p of any number relatively prime to p. One finds in fact 
that for any prime p the order of at least one a mod p is p— 1. For 
example, the orders mod 7 of 1, 2, 3, 4, 5, and 6 are 1, 3, 6, 3, 6, and 
2, respectively, so the maximum order 6 occurs twice. 


It seems to have been well known, many years before Gauss gave 
the first proof, that for every prime p there are numbers relatively 
prime to p whose orders mod p have the maximum value p—1. Such 
numbers are called primitive roots mod p. It was even known 
that the number of primitive roots mod p is exactly ¢(p — 1). For 
example, there are ¢(6) = 2 primitive roots mod 7, namely, 3 and 5. 
(In counting the primitive roots, it is natural to count just those that 
are less than p. Strictly speaking, 10 is a primitive root mod 7, but 
it is to be regarded in this context as being the same as 3.) 


Gauss says: “This theorem gives an excellent example of how 
much caution must be taken in the theory of numbers not to assume 
things are true that in fact have not been proved” [G, Art. 56]. He 
goes on to say that one of his predecessors, Lambert, had stated that 
there are ¢(p — 1) primitive roots mod p without even mentioning 
the need for a proof, and that his most illustrious predecessor, Euler, 
recognized that a proof was necessary but failed to give an entirely 
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satisfactory one. Gauss himself gave two proofs in his Disquisitiones 
Arithmeticae. His second proof (in Article 54 of the book) is perhaps 
a little less elegant than his first, but it is more algorithmic—it tells 
exactly how to find a primitive root. 


Theorem. For any prime p, there is a primitive root mod p. 


Gauss’s proof in Article 54 depends on a simple lemma that will 
be proved in the next chapter: 


Lemma. If p is a prime number and if n is any positive number, 
there are at most n numbers a less than p for which a” = 1 mod p. 


To put it more colloquially, the number of nth roots of 1 mod p 
is at most n. More generally, a polynomial of degree n (in the case at 
hand the polynomial is x” — 1) has at most n distinct roots mod p. 


Proof of the theorem. If a primitive root mod p is known, one 
can find a number whose order mod p is any given factor of p — 1. 
Specifically, if g is a primitive root mod p and f is a factor of p — 1, 
then g'?-))/f has order f mod p. (Its fth power is g?~! = 1 mod p 
and a lower power of g\?—1)/f is g raised to a power less than p — 1 
so it cannot be 1 mod p by the defining property of g.) Gauss’s proof 
goes the other way: It constructs elements of order f for certain types 
of factors of p—1 and uses them to construct a primitive root mod p. 
Specifically, it constructs elements whose order mod p is q® for each 
prime factor g of p—1, where e is the number of times q divides p — 1. 


First, for each distinct prime factor gq of p— 1 find a number a in 
the range 1, 2,... , p—1 for which a'?-))/4 #1 mod p. By the lemma, 
at most (p—1)/q numbers in this range fazl to have this property, so 
such a number is sure to be found after at most Pp + 1 trials. 


Next, for each such g let a number b be determined mod p by the 
condition b = a~-/@ mod p, where a is the number found for this 
q in the first step and where e is the number of times q divides p — 1. 
(If e = 1, as will be the case for most if not all of the prime divisors 
q of p — 1, the number b = a\?~)/4 will already have been found in 
the course of finding a.) 
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It will be shown that the product, call it g, of the numbers b found 
in this way, with one factor of g for each prime factor gq of p—1, isa 
primitive root mod p. 


The factor b of g corresponding to the prime q satisfies b? = 
1 mod p, where e is the number of times g divides p — 1, because 
b? = qg?-! = 1 mod p for the corresponding a. Therefore, the order 
of b mod p divides g°, which means that the order of b mod p is q’ for 
some 7 <e. If 7 were not equal to e then the order of b would divide 


q°—+, which is impossible because b to the power g°~! is a to the power 
ep -q°-! = ®=4 and a was chosen to make a!?—))/4 4 1 mod p. In 


short, 6 must have order g® mod p. 


For a prime factor Q of p — 1, it follows that b®-!)/2 =1 mod p 
if and only if @ is not the prime qg used to construct b, because the 
order q® of b mod p fails to divide > if and only if division by Q 
removes one of the e occurrences of q in the factorization of p — 1. 
Thus g”~/@ is a product of factors b@-))/@, all but one of which 
are 1 mod p, but the remaining one, which corresponds to the prime 
factor @ of p—1, is not 1 mod p. 


Therefore g'?~!)/@ 4 1 mod p for each prime factor Q of p — 1. 
Since the order of g mod p divides p — 1, it must therefore be p — 1, 
because every other divisor of p— 1 divides (p — 1)/Q for at least one 
prime factor Q of p—1. Thus, g is a primitive root mod p, as was to 
be shown. L 


Corollary. For any prime p, the number of numbers a in the range 
0<a<_p whose orders mod p arer is 0 if r does not divide p—1 and 
is o(r) if r does divide p—1. In particular, the number of primitive 
roots mod p is $(p — 1). 


Deduction. The statement to be proved is clear in the case r = 1— 
there is just one number less than p whose order mod p is 1, namely, 
the number 1, and ¢(1) = 1. Therefore, assume r > 1. 


That there are no numbers of order r when r does not divide p—1 
follows from Fermat’s theorem. 


Suppose now that r does divide p—1, and let g be a primitive root 
mod p. As was noted above, g'?~)/" has order r mod p. It will be 
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shown that if a is one number whose order mod p is r, then a number 
b has order r mod p if and only if it is of the form b = a* mod p where 
i is less than r and relatively prime to r. Since there are ¢(r) such 
values of 7 less than p — 1 (of course one counts two values of i as 
being the same if they are congruent mod (p — 1) because then they 
produce the same value of a* mod p), the corollary will follow. 


If a has order r mod p, then a, a”, a®, ... , a” are distinct mod p 
and all of them satisfy (a‘)" = 1 mod p. By the lemma above, which 
is to be proved in Chapter 14, there are at most r distinct numbers 
mod p with this property, so x” = 1 mod p implies x = a* mod p for 
some i. By the same token, if a* has order r, then, since a” = 1 mod p, 
a must be a power of a’, say a = (a*)?. Then a = a mod p, which 
implies 1 = a”~1! mod p so the order r of a mod p divides i7 — 1, 
which is to say 17 = 1 modr. In particular, 7 is relatively prime to 
r. Thus, every element of order r has the form a’ where 7 is at most 
r and is relatively prime to r. Conversely, if 7 is relatively prime to 
r, then the augmented Euclidean algorithm gives a solution (u,v) of 
1+ ur = vi soa=a-:(a™)" = (a’)” mod p, so every power of a is a 
power of a’. Since a has r distinct powers, so must a’, and the order 
of a’, which is obviously at most r, cannot be less than r, as was to 
be shown. CJ 


Exercises for Chapter 13 


Study Questions. 


1. Show by repeated doubling of 1 that 2 is a primitive root mod 
13. Use this fact to find the numbers whose orders mod 13 are r for 
r= 12, 6, 4, 3, 2, and 1. 


2. Make use of the corollary to prove the interesting identity 


>, o(@) =p-1 


where the sum is over all divisors d of p— 1. (For example, when 
p = 18, the identity is $(1) + 6(2) + (3) + d(4) + o(6) + o(12) = 12, 
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which is to say 1+1+2+4+2+2+4= 12.) Verify the formula for a 
few other primes p. 


3. Given one number whose order mod p is 25, describe a con- 
struction that finds all numbers whose order mod p is 25. How many 
are there? In this case, how many elements of order 5 are there and 
how can they be found? 


Computations. 


4. Find a primitive root mod 101 and use it to find one number 
whose order mod 101 is 25 and one number whose order mod 101 is 5. 


5. Use Gauss’s method to find a primitive root mod 257. How 
many are there? Is 3 one of them? Is 11? Give a simple test that 
tells whether a given number is a primitive root mod 257. 


6. Use Miller’s test to find a 6-digit (very probably) prime p 
whose last two digits are 01. Factor p — 1 and use Gauss’s method 
to find, for each prime factor q of p — 1, a number whose order mod 
p is q® where e is the number of times qg divides p — 1. Then find a 
primitive root mod p by finding their product mod p. 


7. For the primes p = 37, 41, 43, determine whether there are 
numbers whose orders mod p are 4 and, if so, find all such numbers. 
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Polynomials 


The method of algebra, of performing computations that involve let- 
ters as well as numbers, has a place in number theory too. More 
properly, the letters are called indeterminates. They may eventually 
be given numerical values—and they may be unknowns of the problem 
which will eventually be determined at the end of the calculations— 
but one computes with them without knowing anything about them. 
The only assumption is that they obey the same computational rules— 
associativity, distributivity, commutativity—that numbers do. 


In this chapter, computations that involve one letter will be used 
to prove the lemma of Chapter 13. The natural choice for that one 
letter is x. If you start with xz and allow addition and multiplication, 
possibly involving numbers, you will be dealing with polynomials in z, 
which is to say expressions of the form coz” +c, 2" ++c90"~2+- + -+en 
in which n is a number and the “coefficients” co, ci, ..., Cn are 
also numbers. Polynomials are added and multiplied according to 
the usual rules—which follow from the associative, distributive, and 
commutative laws just mentioned—and the result is another polyno- 
mial. Note that numbers are included among polynomials—namely, 
as polynomials in which n = 0, the so-called constant polynomials. 


The concept of congruence mod m for a number m extends to 
polynomials in an obvious way. Given a number m, two polynomials 
are said to be congruent mod m if they can be made equal by adding 
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polynomials of the form mz* (“multiples of m” when the meaning 
of this phrase is extended to include multipliers that involve x) to 
one or the other or both of them. Otherwise stated, two polynomials 
cot” +2") 4 con” 2 +--+ +e, and cya" + c,2"™ 1+-4 cl, are 
congruent mod m if c; = c; mod m for each i. 

The theorem below deals with polynomials in which cp = 1. Such 
polynomials are called monic. 


As one easily sees, computations with polynomials mod m make 
sense in the same way that computations with numbers mod m do: 
Sums of polynomials are congruent mod m when the summands are 
congruent mod m, and the same is true of products. 


With polynomials, there is a new type of operation, along with 
addition and multiplication, which is the operation of evaluation. If 
f(x) is a polynomial and a is a number, then the value of f(x) when 
x = a, denoted f(a), is simply the number that results when you 
replace the letter x with the number a and compute all the powers, 
products, and sums indicated by the polynomial. This operation 
is “consistent with addition and multiplication” in the sense that 
f(a) + g(a) is the value of f(x) + g(x) when x = a, and f(a)g(a) is 
the value of f(x)g(x) when x = a because these rules follow from the 
commutative, associative, and distributive laws of arithmetic. 


The main step in the proof of the lemma of Chapter 13 is the 
following limited sort of division with remainder of polynomials. 


Theorem. Let f(x) be a monic polynomial 2” + cy2"~+ + cor”? + 
---+c¢, in which n > 0, let m be a modulus greater than 0, and let 6 
be a number. The congruence 


(1) f(x) =(a@—-b)q(z) +r modm 


determines a monic polynomial q(x) = 2-1 4+ qa"? +--++qn-1 
mod m and a number r mod m in the sense that there are solutions 
q(x) and r of this problem, and all solutions are congruent mod m. 


(Although, strictly speaking, r—b is not a “polynomial” according 
to the above definition, the meaning of congruence (1) should be clear, 
because minus signs always make sense in congruences. Instead of 
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writing x — b, one could write x + a where a is a number for which 
a+b=0modm.) 


Proof. The congruence f(x) = (x — b)q(z) + r mod m amounts to n 
congruences c; = qi — bmodm, co = q2—qibmodm,..., Cn-1 = 
Qn—1 — In—2b mod m, and c, = —qn—1b+r mod m when one observes 
that the coefficients of corresponding powers of x must be congruent 
mod m. When these congruences are rewritten in the form q, = 
cy +b mod m, qg =co+qibmod™m,... , dn—1 = Cn—-1 + 4Qn_—20 mod m, 
and r = Cn + qn_-10, they make it possible to determine qj, q2, ..- , 
Qn—1, and r successively mod m, so f(x) and b determine q(x) and 
r mod m. Conversely, if g(x) and r are found using these congruences, 
then the original congruences are satisfied, which is to say that f(r) = 
(2 — b)q(x) + r mod m. 0 


Corollary. The lemma of Chapter 13. More generally, for a given 
prime number p and a given monic polynomial of degree n, at most 
n numbers b less than p satisfy f(b) = 0 mod p. 


Deduction. Let the number of solutions b < p of f(b) = 0 mod p be 
called the “number of roots of f(x) mod p.” Thus, the problem is to 
show that a monic polynomial of degree n cannot have more than n 
roots mod p. 


Let b be a root of f(b) = 0 mod p, where p is prime, and let 
the theorem be used to determine a polynomial q(x) of degree n — 1 
and a remainder r for which f(z) = (x — b)q(x) + rmod p. Then 
f(b) = (b—b)q(b) +r mod p shows that 0 = r mod p so r can be taken 
to be zero. Any root b’ of f(x) satisfies (b’—b)q(b’) = f(b’) = 0 mod p. 
If b' £4 b mod p, then the factor b’ — b is not congruent to zero mod 
p, SO, since p is prime, the congruence (b’ — b)q(b’) = 0 mod p implies 
q(b’) = 0 mod p. 

In short, each root of f(z) mod p other than b is a root of g(x) mod 
p, so the existence of a monic polynomial f(x) of degree n with more 
than n distinct roots mod p would imply the existence of a monic 
polynomial q(x) of degree n — 1 with more than n — 1 distinct roots 
mod p. 
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Repetition of this argument n — 1 times shows that the existence 
of a monic polynomial of degree n with more than n distinct roots 
mod p would imply the existence of a polynomial x+c that had more 
than one root mod p, which is absurd because b+c = 0 = b'+c mod p 
implies b = b’ mod p. Therefore, a monic polynomial of degree n can 
have at most n distinct roots mod p, as was to be shown. LJ 


Exercises for Chapter 14 


1. (a) Find the number less than 13 that is congruent mod 13 to 
f(x) = 2° -1 forz =0,1,..., 12. (b) Find q(z) and r for which 
2° —1 = (x—1)q(x) +r mod 13. (c) Find the roots of 2° + z+ +23 + 
x* + 2+1 mod 13. (d) Describe the relation between the answers to 
parts (a), (b), and (c). 

2. Write z'3 — x mod 13 as a product of polynomials of the form 
x+a. (Actually, thanks to Fermat’s theorem, you can do this without 
computation. ) 


3. Find a polynomial f(x) of degree 3 for which there is only 1 


solution of f(a) = 0 mod 7. Find one for which there are no solutions. 
(Trial-and-error. ) 
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Tables of Indices mod p 


Given a prime p and a primitive root g mod p, every positive number 
n <p is congruent to g’ mod p for exactly one positive number 3 less 
than p. This number is called the index! of n mod p relative to the 
chosen primitive root g mod p. In dealing with specific problems mod 
p—for example, in solving quadratic equations mod p—it is useful 
to have tables giving the indices mod p of the positive numbers less 
than p and tables of the inverse function, giving the numbers when the 
index is known. Such tables were useful enough to students of number 
theory in the 19th century that the well-known mathematician C. G. 
J. Jacobi published tables of indices [J] for all primes less than 1000. 


As was seen in Chapter 8, today it is easy with a programmable 
calculator to compute the inverse function—that is, to find g* mod p 
when 2 is given—but even with a calculator indices are not easy. 
Tables of logarithms, to which Jacobi’s tables of indices are strongly 
analogous, are utterly obsolete today because calculators have such 
functions built in, but Jacobi’s tables are somewhat less obsolete. Of 
course a computer can easily be programmed to generate them, but 


‘In this definition, the index of 1 is p — 1, but one could obviously also 
consider 0 to be the index of 1 mod p. In any event, it is natural to regard indices 
as being numbers that are only determined mod p — 1, in which case it makes no 
difference whether 0 or p — 1 is given as the index of 1. Jacobi always lists the 
value p — 1. 
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the needed computations do not seem to lie within the practical range 
of programmable calculators. 


In any case, whether such tables are useful or not, and whether 
calculators have made their construction obsolete or not, it is useful 
conceptually in dealing with the arithmetic of numbers mod p to think 
in terms of the index function (relative to a given primitive root) and 
its inverse, and a table is nothing but a very concrete presentation of 
that function. 

Jacobi used a format like the following: 

a 
numbers indices 

I 28 28: © | eas ae ae ae) 

326451 6214 5 8 
Each of these tables gives a function. The top rows, in italics, are to 
be regarded as captions and the numbers below them as values of the 
function for the numbers in the captions. The table on the left gives 
the first six powers of the primitive root 3 mod 7 and the table on the 
right gives the inverse function, which is the index; it tells for each 
number from 1 to 6 which power of the primitive root is congruent to 
that number mod 7. 


The table on the left is easy to construct using a calculator, and 
then the one on the right can be found by interchanging the rows and 
rearranging the columns to put the top row in ascending order. When 
the number of numbers tabulated is greater than 9, Jacobi arranged 
the tables in the following format: 


p= 1F 
numbers indices 
0128 45678 9Y 0128 456789 
0 10 15 14 04 06 09 05 16 07 0 16 10 11 04 07 05 09 14 06 
1 0203 131108 12 01 1 011315 12 03 02 08 


In these tables, the primitive root 10 mod 17 is used, as is seen from 
the fact that it is the value of the function for 1 in the numbers table. 
The placement of the numbers in the table describes, as the italicized 
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row and column captions indicate, the values of the independent vari- 
able to which they belong. For example, the number 12 in the table 
of indices in the column captioned 3 and the row captioned 1 means 
that 12 is the index of 13. The steps in the construction of the tables 
are: First, choose a primitive root mod 17. (Jacobi always used 10 
if, as in the case of 17, it was a primitive root.) Then construct the 
“numbers” table simply by computing the successive powers of the 
chosen primitive root. Finally, “invert” the numbers table to find 
the table of indices. For example, the entry in the column captioned 
5 and the row captioned 1 of the table of indices is determined by 
locating the entry 15 in the numbers table; since it is in the column 
captioned 2 of the row captioned 0, the entry in the index table is 2. 


Figure 1 reproduces Jacobi’s tables for two larger primes, namely, 
for p = 151 and p = 157. 


The quadratic formula reduces the solution of a congruence of the 
form ax? -+bx+c = 0 mod p to finding a square root of b?—4ac mod p. 
But square roots mod p are easy to find using a table of indices by 
virtue of: 


Proposition. If the index i of a number mod p is odd, the number 
has no square root mod p. [fi 1s even, then the number has two square 
roots mod p, namely, the numbers whose indices are ; and Se 

Proof. Let n be a given number less than p and let 7 be its index 
mod p. Ifn = m2 mod p, then the index of m mod p, call it 7, satisfies 
27 =i mod (p — 1), because n = m? = g”) mod p. Because p — 1 is 
even, this congruence has no solution x when 7 is odd, and it has the 
two solutions mod (p — 1) given in the statement, of the proposition 
when 7 is even. LO 


Similarly, to find a cube root mod p of a number whose index 
mod p is 2, one needs to find all solutions 7 of 37 = i mod (p — 1). 
The solution of this problem depends on whether p — | is divisible 
by 3. If not, then 3 has a reciprocal mod (p— 1) and the congruence 
37 =i mod (p — 1) has exactly one solution 7 for any given i. Thus, 
in this case, each number relatively prime to p has a unique cube 
root mod p. On the other hand, if 3 divides p — 1, the congruence 
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Figure 1. 


pi == 2763013 


Indices. 
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Page 13 of Jacobi’s Canon Arithmeticus [J], giving tables 


of numbers and indices for the primes 151 and 157. 
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3j =i mod (p — 1) has no solutions if 7 is not divisible by 3 and has 
3 solutions when i is divisible by 3, namely, j = 4, j = tea and 
- _ - t+-2(p—1) 
: a ra 

Thus, an index table for p makes it possible to find all cube roots 
mod p of a given number, and, in the same way, makes it possible to 


find all fourth roots, fifth roots, and so forth, mod p. 


An index table also serves the function that was served by ta- 
bles of logarithms in the pre-computer era, namely, the conversion of 
multiplication into addition. To multiply two numbers mod jp, find 
their indices in the table of indices, add them, and use the table of 
numbers to find the number of which this sum is the index. 


Exercises for Chapter 15 


1. Jacobi’s tables for the prime 31 are based on the primitive 
root 17 mod 31. Construct these tables. 


2. Choose a prime p, find a primitive root mod p, and construct 
the corresponding tables. 


Questions based on Jacobi’s tables for p = 151 and p = 157: 


3. Modulo one of the primes 151 and 157 the polynomial x? + 
2x — 1 has two roots, and modulo the other it has none. Use Jacobi’s 
tables to determine which is which, and find the roots in the case in 
which there are roots. Verify that 27-+2x2—1 = (x—1r,)(x—r2) mod p, 
where p is the prime for which there are two roots and 7; and r2 are 
the roots. 


4. Use Jacobi’s table to find three primitive roots mod 157. How 
many primitive roots are there mod 157? How many mod 151? 

5. Find a number that has no cube root mod 157. Find a number 
that does have a cube root mod 157, and find all of its cube roots. 
Verify by cubing on your calculator and checking that the cube minus 
the number is divisible by 157. 


6. Find the order of 30 mod 157. Find the order of 90 mod 157. 
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7. Use the tables to compute a million (that is, 10°) mod 151 
and mod 157. (You can find both answers using mental calculation 
alone.) Check your answer using a calculator. 
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Brahmagupta’s Formula 
and Hypernumbers 


The next several chapters are devoted to the solution of the problem 
AUJ+B =U posed in Chapter 2. A treatise written in the 7th century 
by the Indian mathematician Brahmagupta contains an observation 
that is a key tool in the solution of this problem. Brahmagupta did 
not use symbolic algebra, so his observation is stated in words instead 
of symbols, which makes even his statement of the formula difficult to 
follow; that the formula was discovered and proved without the use of 
symbolic algebra is amazing. Very possibly, the formula is evidence 
of a mathematical culture that had been preserved and extended in 
various parts of the world ever since the Pythagorean and Greek works 
of a thousand years before (see Chapter 2). 


Brahmagupta’s Formula. If A, B, B’, x, y, u, andv are numbers 


for which 

Av? +B=y’ 
and 

Au? + B! =v", 
then 


A(xv + yu)? + BB’ = (Aru yv)?. 
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In other words, a solution of AL]+ B =U can be combined with 
a solution of AD + B’ = U to find a solution of AN + BB’ =U. 


Proof. The proof using symbolic algebra is easy, but not trivial. 
Multiply the given equations to find 


A*z7u? + Ac? B' + Au?B+ BB’ = y*v" 
and add A?x?u? to both sides to find 
(A?a7u? + Ax? B’) + (A22?u? + Au? B) + BB! = A*zr*u? + y*v?, 
which is to say 
Ax? -y* + Au*-y*+ BB! = A*a*u? + y*v? 
from which Brahmagupta’s formula 
A(av + yu)? + BB’ = (Aru + yv)* 


follows when 2Azxuyv is added to both sides. O 


In modern texts on number theory, Brahmagupta’s formula is 
most often stated, “The norm of the product of y+ zVA and v-+uVA 
is the product of their norms.” This statement is easily proved once 
meaning is given to the symbols y+zVA and v+uvA and to algebraic 
operations with them, which is normally done in an ad hoc way that 
asks the reader to accept without question that x+yvV A is a “number” 
when x and y are integers (possibly negative) and A is a number that 
is not a square. 

Granted the free use of these symbols, Brahmagupta’s formula 
follows when one multiplies the product 


(1) (yt+avA)(v + uv'A) = (yu + Aru) + (cv t+ yu)VA 
and its “conjugate” 

(y — aV A)(v — uv A) = (yo + Aru) — (vu + yu)VA 
to find 


(y? — Ax?)(v? — Au”) = (yo + Aru)? — A(au + yu)’, 
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which is Brahmagupta’s formula when B and B’ are defined to be 
y*— Ax? and v*—Au?, respectively. The convenience of this mnemonic 
for Brahmagupta’s formula is the prime reason for dealing with what 
we will call hypernumbers in the following chapters. 


We define a hypernumber for a given number A that is not a 
square! to be a formal expression of the form y + xVA, where x and 
y are numbers and where vA is merely a symbol. Like numbers, hy- 
pernumbers can be added and multiplied. Addition of hypernumbers 
is defined by 


(2) (yt+aVA)+(u+uvA) =(y+u)+(c+u)VA 


and their multiplication is defined by formula (1). 


As is easily checked, the usual commutative, associative, and dis- 
tributive laws of addition and multiplication hold for these opera- 
tions, so computations with hypernumbers follow the same rules as 
computations with numbers, although the real meaning of such com- 
putations may cause the reader some philosophical unease. The usual 
attitude of mathematicians in such matters is to ignore philosophical 
issues and to regard the computations as a game that is played with 
clearly stated rules and to regard theorems about hypernumbers as 
statements about the possible outcomes of moves in the game. 


In any discussion of hypernumbers, the value of A needs to be 
fixed at the outset. There will be no combining of hypernumbers with 
different values of A. 


As an illustration of the power of computations with hypernum- 
bers, note that in the case A = 2 the powers of the single hypernumber 
1+ V2 produce all the ratios in the Pythagorean sequence of Chap- 
ter 2. (See Exercise 1.) In the case A = 3, the powers of the single 
hypernumber 2+ ./3 produce all the solutions of 327 + 1 = y? found 
in Chapter 2, and the formula (2 + V3)"(1 + V3) for n = 0, 1, 2, 
... produces all the solutions of 37% — 2 = y* (see Exercise 2). For 
larger values of A and B, however, the use of hypernumbers in solving 


Tf A is a square, there is no need to regard VA as asymbol. In that case, VA 
is a number and the arithmetic of expressions y + zVA is simply the arithmetic 
of numbers. 
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AL]+ B =U becomes somewhat more difficult, as will be seen in the 
following chapters. 


Exercises for Chapter 16 


3 
1’ 2? 59 12° 29° 70° 169° 
of Chapter 2 in terms of the powers of the hypernumber 


1. Describe the Pythagorean sequence + 7 1g 41 99 239 


577 
408? *"" 


1+ V2. 

2. The sequence of Exercise 2 in Chapter 2 can be seen as a 
combination of the two sequences (2 + /3)” (the terms with even 
index) and (1 + /3)(2 + V3)” (the terms with odd index). Use this 
description to derive the formulas for generating the sequence that 
were found in that previous exercise. 


3. Describe the sequence of Exercise 4, Chapter 2, in terms of 
hypernumbers. 
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Modules of 
Hypernumbers 


The notion of congruence of two numbers modulo two other numbers 
(see Chapter 4) extends immediately to hypernumbers for a given A. 
To say that two hypernumbers m and n are congruent modulo two 
other hypernumbers a and 6 (all for the same A) means that there are 
hypernumbers s, t, u, v for that A for which m+sa+tb = n+ua+vb. 


More generally, m = n mod [aj, a2,... , ax] for a list of hypernumbers 
a1, @2,..., @y means that there are hypernumbers 71, r2,... , Tr, and 
$1, $2, ..., S% for which m+ rya, + rgd. +--+: + reap = n+ 81a, + 


8902 +::'+ Sean. 

The statement that two lists aj, a2, ..., ax and bj, bo, ... , b; de- 
termine the same congruence relation in this way will be represented 
by the equation 


[a1, @2,. “% , OK _ [b1, be, ok ., by]. 


In other words, this equation states symbolically that two hypernum- 
bers m and n are congruent mod |aj, a2, ... , ax] if and only if they 
are congruent mod |b;, be, ..., b|. A list of hypernumbers (for a 
given A) written between square brackets like this to indicate that 
the list is to be considered as a modulus in a congruence will be 
called a module, and when |aj, a2, ... , ax] = [bi, be, ..., bi], the 
two modules will be called equal. 
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In Chapter 4, where the modules were lists of numbers rather than 
hypernumbers, the comparison of modules was easy. The Euclidean 
algorithm “subtract the lesser from the greater” made it possible, 
using the rules [a, 0] = [a] and [a, b| = [a,b — aj (when a < b), to put 
any module |a;, a2, ... , a@%| in the form 


G1, Goss. y| = ld) 


for a single number d. Two modules of numbers [d;] and [d2] are 
equal if and only if dj = dg, so this method solves the problem below 
in the case of numbers. In the case of hypernumbers the solution is 
slightly more difficult and much more interesting. 


Problem. Given two lists of hypernumbers aj, ag, ..., Gp and bj, 
bo, ..., bi, for a given A, determine whether |a1, az, ... , ax] = [b1, 
bo, ..., by]. 


Note that the very definition of equality of modules easily implies 
that it is reflexive, symmetric, and transitive, and that a module is 
equal to any module obtained by rearranging its terms. The complete 
solution of the problem, which will be given in Chapter 18, depends 
on the following rule for transforming a given module: 


Theorem. [fc = 0 mod [a,b], then [a,b,c] = [a,b]. More generally, 

if a,x = Omod |[ay, a2, ... , Ax—1i], then [a1, ag, ..., ax] = [a1, ae, 
sy ArK—1)- 

Proof. For simplicity of notation, just the first case will be consid- 

ered; the proof in the general case is essentially the same. 


The assumption c = 0 mod [a, b] means that there are hypernum- 
bers s, t, u, v for which c+ sa+tb = ua+vb. What is to be shown 
is that then, for given hypernumbers m and n, there is an equation 
of the form 


(1) m+Sa+Tb=n+Ua+Vb 


for some hypernumbers S, T, U, V if and only if there is an equation 
of the form 


(2) m+Sa+Tb+Fe=n+Ua+Vb+Ge 
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for some hypernumbers S, 7, F, U, V, G. Of course (1) implies (2) 
when one sets S= S,7 =T, F=0,U=U, V=V, and G = 0. For 
the proof of the converse, let (F + G)(sa+tb) be added to both sides 
of (2) to find 


m+Sa+Tb+F(c+ sa + tb) + G(sa + tb) 
=n+Ua+Vb+F(sa+tb)+G(c+as + tb). 


The equation c+ sa+tb = ua+vb then makes it possible to eliminate 
c and conclude that (1) holds for S=S+Fu+Gs,T =T+Fv+Gt, 
U=U+Fs+Gu,V=V+Ft+ Gv. O 


Corollary 1. Ifa and b are hypernumbers and if a can be subtracted 
from b, then |a, 6} = [a,b — al. 


Deduction. The equation (b — a) + a = b implies both b-—a = 
0 mod [a,b] and b = 0 mod [a,b — a], so the theorem implies both 
[a, b] = [a, b, b — a] and |a, b— a] = |a,b— a,b], from which the desired 
conclusion follows by transitivity. St 


Corollary 2. If two modules are equal, then each can be transformed 
into the other by a sequence of steps in which the theorem is used 
simply to annex one entry to the list or drop one entry from the list. 


Deduction. Suppose [a1, a2, ... , a%| = [b1, bo, ... , b;]. Then each 
b is congruent to 0 mod |aj, a2, ... , ax] and each a is congruent to 
0 mod [b;, bg, ..., bj]. The theorem can therefore be used to annex 
by, bo, ... , bj to [ay, a2, ... , ax] in J steps and conclude that |aj, ao, 

., Q~] = [a1, @2,... , Ax, 01, bg, ... , bi]. In the same way, then, ay, 
a2,..., @_ can be dropped in k steps to conclude that this module is 
also equal to [b,, bo, ... , by]. O 


There is a natural way to multiply modules, namely, to define the 


product of the module [a;, a2, ... , az] and the module [b1, bo, ... , 
b;| to be the module [c1, cz, ... , cx] in which the c’s consist of all kl 
products in which the first factor is chosen from aj, a2, ..., ax and 


the second factor is chosen from 6;, bg, ... , 01. 
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More precisely, this defines an operation on lists of hypernumbers. 
For it to be considered an operation on modules, the resulting module 
must be shown to be the same when |aj, a2, ... , ax] is replaced by 
another presentation of the same module. That is, one needs to prove: 


Proposition. If the product of two lists a and 6 ts defined as above— 
the product a-b of a list a containing k hypernumbers and a list b 
containing | hypernumbers is a list obtained by putting the kl hyper- 
numbers a;b; in some order—and if c is another list of hypernumbers 


for which |a] = |c}, then |a- b| = {c- bj. 


Proof. If a is the list a,, az, ..., ax and c is the list cj, co, ..., 
Cm, Corollary 2 above states that the transition from [a] to [c] can 
be made by a sequence of steps in which one hypernumber in the 
list which is 0 mod the remaining hypernumbers in the list is either 
annexed to or dropped from the list. Therefore, the theorem will be 
proved if it is shown that |a- b] = |[c- 6] for one such step—say for a 
step in which the list c is the list a with one hypernumber that is 0 
mod |a] annexed to it. 


But in this case c- 6 is a-b with new terms annexed—specifically, 
with terms c;b; annexed, where c, is the sole entry in the list c that 
is not in the list a, and 6; is an entry in the list b—and all that needs 
to be shown is that the annexed terms are all 0 mod [a- bd]. But 
cb; = 0 mod [a- 6] follows from c; = 0 mod [a] when one multiplies 
an equation demonstrating c; = 0 mod [a] by b;, which completes the 
proof. CL] 


Multiplication of modules is of course commutative and associa- 
tive because the multiplication of hypernumbers is commutative and 
associative. 


Exercises for Chapter 17 


1. Prove the following equations of modules: 
(a) [7+ 2V11] = [5,7 + 2V11] = [5,1 + V1], 


(b) [74+ V7,134 4V7| = [3,14 V7]. [Hint: Find numbers that 
are = 0 for this modulus.| 
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2. The equation [7 + 2V11][V11] = [5,1 + V11][V11] implies 
that both 5/11 and 11+ /11 are 0 mod [22 + 7/11]. Prove these 
statements by finding explicit equations 5/11 + a- (22+ 7/11) = 
b- (22+ 7/11) and 114+ V1l4+c:- (22+ 7711) = d- (22+ 7V11) in 
which a, 6, c, and d are hypernumbers. 


3. As will be proved in the next chapter, every module (for a 
given A) is equal to one in the form [ef,eg + eV A] (unless it is [0}). 
Try to construct your own proof of this fact. Moreover, one can even 
stipulate that g? = A mod f. 


4. Provided f and F are relatively prime, a product module 
of the form [f,g + VAJ][F,G + VA], in which g? = Amod f and 
G? = Amod F, is equal to [fF,G + VA] where G is determined via 
the Chinese remainder theorem via G = g mod f and G=G mod F. 
Prove this equation. 
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Chapter 18 


A Canonical Form 
for Modules of 
Hypernumbers 


Let a number A, not a square, be fixed, and let all hypernumbers be 
hypernumbers for that A. 


Problem. Given two lists a,, ag, ..., ap and bj, bo, ... , by of hy- 
pernumbers, determine whether |a,, a2, ... , ax] = [b1, be, ... , by]. 


In the case of modules of numbers in Chapter 4 this problem was 
solved by showing that every module is equal to one in the form [d] 
and that two in this form are equal only when they are identical. The 
problem in the case of hypernumbers can be solved in an analogous 
way by establishing a canonical form for such modules, a form with 
the property that every module is equal to one in this form, and two 
in this form are equal only when they are identical. 


The congruence relation determined by a list in which all entries 
are zero is simply the relation of equality, but if a list contains even one 
nonzero entry, that entry is congruent to zero for the corresponding 
congruence relation without being equal to zero, so the congruence 
relation is different from equality. Thus, if a,, a2,... , ax are all zero, 
lay, @g,..., Gp] = (by, bo, ... , by] if and only if b1, bo, ... , by are all 
zero, and the solution of the full problem stated above is reduced to 
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the solution of the case in which the given lists both contain nonzero 
entries. A canonical form for such modules can be found by the 
following sequence of simplifying steps. 
(1) Let the given list be a1, a2, ... , @, where a; = y; + 2;,VA, 
and let e be the greatest common divisor of the 2k coefficients x1, Z2, 
-, 2k, Y1, Y2, +--+ > Ye Of the entries. (This definition of e makes use 
of the assumption that at least one a; is not zero.) Then a; = e- }; 
defines a hypernumber b;, and the given module can be written in the 


form |a1, a2, ..., ax] = [e][b1, be, ... , by], where the 2k coefficients 
of b1, bg, ... , by have no common divisor greater than 1. 
(2) Given a module |[b;, bo, ... , by] with this added property 


that the greatest common divisor of the coefficients of the 6; is 1, 
annex to the list, if it does not already contain one, a nonzero number 
that is 0 mod [bj, bz, ..., 6%]. Such a number is easy to find. For 
example, if b = y + «VA is a nonzero entry in the list, then both 
yb = y? + 2yVA and aVA-b= ryV A+ Az? are 0 mod (by, bo, ... , 
b,|, so y? = y?+2yVA+4+ Ax? = Ax? mod [by, bo, ... , by]. Therefore, 
the number |y? — Ax?| can be annexed to the list without changing 
the module. (Here |y? — Ax?| denotes, of course, the difference of y? 
and Ax”, which is y? — Ax? if y? > Ax? and Ax? — y? otherwise. It is 
not zero, because Az? is divisible an odd number of times by at least 
one of the prime divisors of A—because A is not a square—which 
would be impossible if Ax? were y?.) 


(3) Given a module [}j, b2,... , bg] in which the greatest common 
divisor of the 2k coefficients 11, 72, ... , Te, Y1, Yo, ---, Ye Of the k 
hypernumbers 6; = y; + 2;VA is 1, and in which 6, is a nonzero 
number, annex to the list a hypernumber of the form h + VA which 
is congruent to 0 mod [b,, b2, ..., 6%]. Such a hypernumber can be 
constructed in the following way. Because 1 = 0 mod |x, 22, ..., 
Lk, Yi, Y2, ---> Ye], there are numbers rj, T2, .-., Tk, $1, $2, --- 5 
Sk, Uj, UQ,-.-, Uk, U1, V2, --., Ue for which 14+ 74%, + 7re%_ +---+ 
TEER SLY1 i SkYk = UL, + UgLQ + FURL ET UY + + URYR- 
Therefore, the coefficient of VA in the hypernumber 7,0, +r2bg+---+ 
rpbp +$1b1VA+SsoboVA+-:-+5,b4V A is 1 less than the coefficient of 
VA in the hypernumber w16, +ugbe+---+upbe +0164 VA+veboVA+ 
sia bp A; say the first is Y; +X, VA and the second is ¥Y3+ XoVA 
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where X;+1 = Xg. Then Yj +X,;VA = 0 = Yo+(X1+1)VA mod [by, 
bo, ..., b,]. When q is a large enough number that Y2 + qb, is larger 
than Y;, subtraction of Y; + X, VA from gb; + Yo +(X1+1)VA gives 
a hypernumber that is 0 mod (b;, bo, ... , b%| in which the coefficient 
of VA is 1, as required. 


(4) A module [b;, bo, ... , bg] in which 6; is a nonzero number 
and the coefficient of VA in bo is 1 can be reduced to one of the form 
[f,g + WA], in which f #0 in the following way. If k > 2, each bj = 
yi t+ x;VA for i > 2 can be replaced by b; + qb; — x;b2 when q is large 
enough to make the subtraction possible. When this replacement is 
made for each i > 2, the list takes the form b,, bg = yo + VA, nz, Na, 

., Nz where the n; are numbers because the coefficients of VA in b; 
and x;b2 are the same. This module is, by the Euclidean algorithm, 
equal to [f, yo + VA] where f is the greatest common divisor of }y, 
23, 4, --- 5 Nk. 


(5) Finally, a module of the form [f,g + VA], where f 4 0, can 
be assumed without loss of generality to have the properties that 
g* = Amod f and g < f. The first property can be assumed because 
if g? # Amod f, one can annex the number |g? — A| to the list (see 
step (2) above) and replace f and |g? — A| in the resulting list with 
their greatest common divisor f’ to find a representation [f’,g + VA] 
in which f’ divides |g? — A|. As for the second property, if g > f’, 
one can simply subtract f’ from g without changing the module and 
repeat until g < f’. 


In summary: 


Theorem. Every module of hypernumbers for a given A, other than 
the trivial module [0], is equal to one in the special form [e|[f,g+V Al 
where ef #0, 9 < f, and g? = Amod f. 


A module in this form [e][f,g + VA]—where ef 40, g < f, and 
g° = Amod f—will be said to be in canonical form. That two 
modules in this form are equal only if they are identical is proved in 
the corollary below. 
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Proposition. Let [e][f,g+v A] be a module in canonical form. Then 
a hypernumber Y + XVA satisfies Y + XVA =0 mod [e][f,g+ VA 
if and only if X =O mode and Y = gX modef. 


Proof. If X = 0 mode, say X = eX’, and Y = gX modef, then 
Y = O0mode, say Y = eY’; moreover, Y’ = gX’ mod f, as follows 
directly from the meaning of Y = gX modef,say Y’+rf =gX'+sf. 
Thus, Yit+rf+X'VA = gX'4+ sf + X'VA = X'(g + VA) + Sf; 
multiply by e to find Y + XVA+ ref = X'(eg +eV A) + sef, which 
shows Y + X VA = 0 mod [ef,eg + ev A], as required. 


Conversely, if Y-+X VA = 0 mod [ef,eg+ev A], then X = 0 mod 
e and Y = gX mod ef, as can be shown in the following way. What 
is given is an equation Y + XVA+a(ef) + b(eg + eVA) = c(ef) + 
d(eg + ev A), where a, b, c, and d are hypernumbers. Since all terms 
other than Y + XA are hypernumbers in which both coefficients are 
divisible by e, the same is true of the hypernumber Y + X VA, say 
Y+XVA = eY'+eX’VA. In particular, X = 0 mod e. Then division 
by e gives ¥Y'+ X'/A+af +b(g+ VA) =cf+d(g+VA). Now the 
hypernumber af +b(g+ VA) can be written in the form 7 f+kfVA+ 
lig + VA) + mv A(g + VA), where j, k, 1, and m are numbers, and 
the same is true of the hypernumber cf + d(g + VA), so an equation 
of the form Y’ + X’VA+jf+kfVWA+4+U(g + VA) +m(A+4 gVA) = 
J f+khfVA+U(g+ VA) + m’'(A+ gVA) holds. The coefficients of 
V A on the two sides are X'+kf+l+mg = k' f+l’+m’q, whereas the 
terms that are numbers are Y’+jf+lg+mA = j’f+l'g+m’A. When 
these equations are interpreted as congruences mod f and when use is 
made of A = g* mod f, one finds first X’ + 1+ mg =l'+m'g mod f 
and then Y'+lg+mA = Ig+m'A = go +m'g) = g(X'’ +14 
mg) = gX'+lg+mAmod f, from which the desired conclusion 
Y’ = gX' mod f—which is to say Y = gX mod ef—follows. O 


Corollary. If {e][f,g+V A] and [E][F, G+ A] are modules in canon- 
ical form and if they are equal, thene=E, f=F, andg=G. 


Deduction. Let M denote the module [e][f,g + VA] = [E][F,G + 
VA]. Then e = E because both are the largest number that divides 
all hypernumbers that are 0 mod M, f = F because both ef and 
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EF = eF are the smallest nonzero number that is 0 mod M, and 
g = G because both are the smallest number x for which ex + eJA 
is 0 mod M. 0 


Note that the canonical form of the module [1] is {1, VA]. 


Exercises for Chapter 18 


1. Find modules in canonical form equal to each of the following: 
(a) [7+ 2V/11],  (b) [7,2+ V3],  (c) [11,10 + 2V3}, 

(d) [25 + 6V3, 20 + 7V3]]. 

2. Given numbers z and y, give rules for determining e, f, and g 


for which [y + vA] = [e][f,g + VA] and the module on the right is 


in canonical form. 


3. For a given A, what condition must f satisfy in order for there 
to be a module [f, g + VA] in canonical form? 


4. Choose a value for A and write down two hypernumbers a 
and b for that A chosen more or less at random. Then put |{a, b] in 
canonical form. Most likely, you will find that the canonical form is 
[a,b] = [1, VA]. This is the analog for hypernumbers of the fact that 
two numbers chosen at random will most likely be relatively prime. 
Try to construct examples in which [a,b] 4 [1, vA] but this fact is 
not obvious. 
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Solution of ALI+ B=ULU 


The method or methods by which ancient mathematicians found so- 
lutions of AL}+ B =U have not survived. Archimedes’ approxima- 
tions fe < V3 < one strongly suggest that he had some general 
method, but we can only guess what it might have been. Brah- 
magupta in the 7th century gave a method by which the smallest 
solution (x, y) = (120, 1151) of 9227 + 1 = y? could be found, and the 
later Indian mathematician Bhaskara Acharya in the 12th century 


gave more general methods of solving AJ + B =U. 


The Indian methods were based on Brahmagupta’s formula, em- 
ploying it in an iterative way that was later called the “cyclic method” 
({D, Chapter XII of Vol. 2] and [E2, Sec. 1.9]). The essence of the 
method can be expressed in the notation of modules of hypernumbers 
using: 


Comparison Algorithm (so called because it gives a method of 
comparing two modules to determine whether they are equivalent; 
see Chapter 23). 


Input: A module [f,g + VA] in canonical form 

Algorithm: 
r is the least solution of r+ g =0mod f for which r? > A 
r= eA 
G is the least solution of G =r mod F 

Output: The module [F,G + VA] in canonical form 
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The output module is in canonical form because the definitions 
imply r? = (~g)* = Amodf, F £60, G < F, and G@ = r* = 
A mod F.. The input and output modules are related by the equation 


(1) r+ VAILf.g + VA] = [ALF G + VAI, 


where r is the number used by the algorithm to determine F' and G, 
as can be proved as follows. First, 


= 
f 


because both sides are r? + gr + A+gVA+rvA. Because cag is a 
number, it follows that r? = A mod [f(r + VA), (g+ VA)(r + VA)]. 
Therefore, the number r? — A = fF can be annexed to the list that 
describes [r+ VAl[f, 9+ VA] = [f(r+ VA), (g+ VA) (r+ VA)] to find 
that this module is [f(r + VA), (r + VA)(g + VA), fF]. Moreover, 
when A is subtracted from both sides of (2), one finds fF + (r+ 
VA)(g+VA) = aA -f-(r+WA), which means that (r+ VA)(g+VA) 
can be dropped from the list, leaving [r + VA][f,g + VA] = [f- (r+ 
VA), fF) = [f\[F,r + VA], which is (1), because G = r mod F by 


definition. 


(2) r?+(g+VA)(r+ VA) -f-(r+VA)+A4 


The use of the comparison algorithm to solve AJ + B =U will 
be explained below. The method that is explained finds primitive 
solutions of the problem, which is to say that it finds those solutions 
Az? + B = y? in which z and y are relatively prime. If a solution is 
not primitive—say the greatest common divisor of x and y is d > 1— 
then d* must divide B, and (u,v) = (4, 4) is a primitive solution of 
Au? + t: =v’. (In particular, all solutions are primitive unless B is 
divisible by a square greater than 1.) For this reason, it will suffice 
to have a method of constructing all primitive solutions. One merely 
needs to use such a method to construct the primitive solutions of 
AU + a = LZ for each square factor d? of B (there may be no square 
factor greater than 1) and to use each one that is found (if any are) 
to construct a solution of ALI+ B =U. 


All primitive solutions of a given equation AL] + B = LJ can be 
found in the following way. 
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1. Given A and B (A not a square, B not zero), find all square 
roots of A mod B. In the cases of greatest interest, B is a small num- 
ber and this step can easily be accomplished by trial-and-error. (The 
process of finding square roots of A mod B is simplified by factoring 
B, finding square roots of A mod the factors, and using the Chinese 
Remainder Theorem to put them together.) 

2. For each square root g of A mod B, apply the comparison 
algorithm repeatedly to the module [B, g+V A] to generate a sequence 
of modules [B,g ai Vv Al = fo, Jo + VA], fi, 91 ae VAl, [fos ge a VAI, 


.... Each pair of successive modules satisfies a relation 
(3) (r; + VAl[fi-1, 91-1 + VA] = [fia] [fi 92 + VAI. 


As will be found (it will be proved in the next chapter that it must 
always happen) this sequence eventually begins to repeat. Therefore, 
it will always be possible to determine whether the sequence contains 
the module [1] and, if so, exactly which indices i satisfy [f;, gt+V Al = 
[1], or, what is the same, satisfy f; = 1. (As will be shown, if f; = 1 
ever occurs, it occurs infinitely often.) 


3. For each square root g of A mod B and for each index 27 for 
which f; = 1 in the sequence [B, 9+ VA] = [fo. Got VA}, [fir, gi tv Al, 
Lf2,g2 + Vv A], ... that follows from it, a primitive solution Az? + 
B = y* of the given equation can be found in the following way. 
String together the n equations (3) that relate the successive modules 
[fis 9s + VA] to find the equation 


(ry + VAl[ro + VA] -- [rn + VAN[B, 9 + VAI 
= [B] [fill fel ..- [fn—1]Lfn gn + V Al 


relating the initial module [B, g + VA] = [fo, 90 + VA] and the nth 
module [fn,9n + VA] = [1]. If one sets Y + XVA = (71 + VA)(r2 + 
VA)--++(tTn + WA), this equation takes the form 


[YY + XVA][B,g+ VA] me IBfifo---fn—i}. 


In particular, the hypernumber (Y + X VA)B is divisible by the 
number Bf} f2--- fn—1, which means that Y + XV A is divisible by 
fife era Teas Say Y a XVA = (y + av A) fi fo mies Tas With x and 
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y defined in this way, the equation 

ly + ev A][B, 9 + VA] = [Bl 
holds. As will be shown in the next chapter: 


Theorem. For each square root g of Amod B, one can determine 
quite explicitly the numbers n for which fn = 1 in the nth module 
generated by the comparison algorithm when one begins with |B,g + 
VAI and applies the algorithm iteratively. For each such g and n (if 
there are any), the pair of numbers (x,y) given by the above formula 


2 (r; + VA)(ro + VA)- ++ (tn + WA) 
4) ae ys ae 


is a primitive solution of Ax? + B = y’, and all primitive solutions 
are found in this way. 


Example: In Brahmagupta’s equation 92L.)+ 1 = LJ mentioned at 
the beginning of this chapter, B = 1 and the only module [B, g+ /92| 
to be considered is [1]. For this input module, one finds that the 
sequence of r’s is 10, 14, 12, 12, 14, 10, after which the sequence 
continues cyclically as 10, 14, 12, 12, ..., and the sequence of f’s 
cycles through 1, 8, 13, 4, 13, 8, 1, 8, 13, 4,... . Thus the first solution 
(disregarding the trivial solution 92-07 +1 = 1? corresponding to the 
initial 1) is 


(10 + /92)(14 + /92)(12 + /92)(12 + V/92)(14 + /92)(10 + V/92) 
8-13-4-13-8 


which is easily found to be 1151 + 120/92, the solution of Brah- 
magupta that was mentioned above. There are infinitely many so- 
lutions, one for each occurrence of f = 1, which happens at every 
sixth step. These later solutions are clearly the powers of the so- 
lution found above, so they are the coefficients of the hypernumbers 
(11514+120./92)” forn = 2,3,4,.... Note how quickly the numbers x 
and y in these solutions grow; when n = 2, (x, y) = (276240, 2649601). 
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How to Organize the Computations 


Write the sequences g, 71, ’2, 73, .-. and B, fy, fo, fz, ... on succes- 
sive lines, with B between g and f;, r; between B and f;, fo between 
r, and ro, and so forth. The computations of Brahmagupta’s example 
are then displayed in the form 
(A = 92) 
O 10 14 12 12 14 10 10 14 #12 12 «214. 

I 2 2 4 13 8 2+ 8 2 4 18 Baw, 


Each new term r; on the top line is the least solution of r;_, +r; = 
0 mod f;_1 for which r? > A—in particular, the sum of two consecu- 
tive numbers on the top line is always divisible by the number on the 
bottom line that lies between them—and each new f; is given by the 
formula f; = uaA so the successive terms are easy to calculate. The 
indices n for which f, = 1 are easy to see, and the numbers r; and f; 
needed in formula (4) can be read off. (Note that the first number in 
the top row is g, the first number in the bottom row is B, and these 
numbers do not appear in formula (4).) 

In organizing the reduction of the hypernumber given by formula 
(4), it is often easiest to cancel factors from the numerator and denom- 
inator during the course of computing the product in the numerator. 
For example, the numerator of the smallest solution of Brahmagupta’s 
problem is ((10-+ V92)(14+ V92))" (12+ V92)(12-+ 92) = (140+92+ 
(10 + 14) /92)°(144 + 92 + 24/92) = 8?(29 + 392)? -4- (59+ 6/92). 


The factors 87-4 cancel from the denominator, leaving just 13. Then 
((29+-3,/92)(59+6,/92)) (29+3/92) = 13(259+27/92) (2943/92) = 
13? - (1151 + 120\/92) yields the answer given above. 


Computation with Hypernumbers 


A simple way to do machine computation with hypernumbers without 
having to write special programs is to treat y+a2vVA as a 2x 2 matrix 


y «£ 0 1). |A O 
of numbers By a Since the square of i 7 is ¥ ip the 


matrix corresponding to (yi +21 V A)(y2 +22V A) is then the product 
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of the matrix corresponding to y; +2 VA and the matrix correspond- 
ing to yo + 22VA. Since the same is obviously true of sums, one can 
in this way do hypernumber computations using a computer software 
package or even a programmable calculator that handles matrices. In 
implementing formula (4), the numbers can be kept small by alter- 
nating multiplications and divisions. Specifically, multiply the first 
two factors in the numerator, divide by the first factor in the denom- 
inator, multiply by the next factor in the numerator, divide by the 
next factor in the denominator, and so forth; as is easy to prove, each 
division goes evenly, so the result at each step is a hypernumber. 


Exercises for Chapter 19 


1. Find all solutions of 79x? + 21 = y?. 
2. Find all solutions of 1327 + 1 = y?. 


3. Choose a number A, not a square, and a number zx for which 
Az? is slightly less than a square, say Az? + B = y” where B is not a 
very large number. Use the method of the chapter to find all solutions 
of AJ+ B= U1. (Remember that the method produces only primitive 
solutions, so if your B has square factors d? > 1 you also have to look 
for solutions of AN + % = 0.) 


4. Find all solutions of 610 +1 = U1. [Persevere. The small- 
est squares for which this equation holds are enormous, but not too 
difficult to find if the computation is organized carefully.| 


5. The equation AD +1 = Li—di.e., the special case B = 1 of 
the problem of this chapter—is called Pell’s equation. Show that 
if (X,Y) is a solution of AX? + B = Y? and if Ar? + 1 = y? is the 
smallest solution of Pell’s equation for this A, then the next solution 
of AX? + B = Y? in the sequence that contains the solution (X,Y) 
is given by the coefficients of (Y + XVA)(y + tv/A). 


6. Find a published table of solutions of Pell’s equation and derive 
some of the entries using the method of this chapter. Fermat stated 
that Pell’s equation has infinitely many solutions whenever A is not 
a square, a statement which follows from the method of this chapter 
and the fact, proved in Chapter 22, that {1] is stable. 
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Proof of the Theorem 
of Chapter 19 


For given numbers A and B (A not a square and B not zero), the 
theorem of Chapter 19 describes an algorithm for finding all primitive 
solutions of Ar? + B = y’; it is based on finding all occurrences of [1] 
in the sequence of modules [B, 9+ VA] = [fo, go + VA], [f1,91 + VA], 
[fe,g2 + VA], ... generated by applying the comparison algorithm 
iteratively to modules [B, g + VA] in canonical form. (In particular, 
there are no primitive solutions if A is not a square mod B.) 


Theorem 1. The sequence of modules [fo,90 + VAI, [f1,91 + VAl, 
fe, gat v Al, ... that results when the comparison algorithm is applied 
repeatedly to any module [fo,go0 + VA] in canonical form eventually 
begins to repeat. 


Once a module in the sequence is repeated, all subsequent mod- 
ules are repeats, so the infinite sequence contains only a finite number 
of distinct modules and eventually becomes an infinitely repeating cy- 
cle. 


Proof. Let 71, r2, ... be the numbers used by the comparison algo- 
rithm to go from [fo, go + VA] to [fi, 9: + WAl, from [fi, 91 + VA] to 
[f2, 92+W Al, and so forth. The key idea of the proof is that |rj41—f;|? 
is less than |r; — f;~1|? unless |r; — f;-1|? < A; once an i is reached 
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for which |r; — f;~1|? < A (which may be true for i = 1), the same 
inequality holds for all subsequent values of 71, which implies, as will 
be shown, that the sequence must begin to repeat. 


First, 735 +7:41 > 2f; for each 2 for the following reasons. Because 
ret ign = G+ 7i41 = Omod f; (the first by the definition of g;, 
the second by the definition of rj41), rj +7441 is divisible by f;, so 
ro +7ia1. > 2f; will follow if r; + riz. > fj is proved to hold. If 
fi-1 > ri, then r? > r?-A= fifi-1 > firi, which implies r; > f; 
and therefore implies the desired inequality r; +7;.1 > f;. Thus, the 
desired inequality holds unless fj;_1 <r; < f;. But it holds when r; 
is in this range too, because then (r; — f;-1)? < A (by the definition 
of r;, because r; — f;_1 is less than r; and congruent to it mod fj_1), 
from which it follows that 


r?—Qrifiitf74<A 
fi-afi + ie < 2r;ifi-1 (add 2r;f;_1 and subtract A) 
fit fi-1 < 27; (divide by fi—1). 


Multiplication of the last inequality by f; puts it in the form f? + 
re — A < 2r;f;, which is the same as (f; — 7;)* < A because r; < fj. 
Since A < r?,, by the definition of ri, this gives (f; — ri)* < r?,,, 
from which the desired conclusion f; — 7; < 7341 follows. 


Next, |r; — fi-i|? > A implies fj-1 + rig. > fj +7; for the 
following reasons. (Here |a—b|* means, of course, (a—b)* if a > band 
otherwise means (b—a)?. In either case, this number is a* + b* — 2ab.) 
In fact, |r; — fj-1]? > A means r? + f2., > A+ 2r;fi_1. Since 
r?—A= f;fi_1, subtracting A from both sides and dividing by fi_-1 
gives f;+fj;_-1 > 2r;. Addition of this to the inequality rj;+7rj41 > 2f; 
of the last paragraph then gives f;+ f;-1+rit+7igi > 273 4+2f;, which 
is the desired conclusion, i.e., fj-1 + 7i41 > fi +173. 

It can now be shown that |r; — f;-1|? > A implies |r; — f;-1|? > 
Iri+1 — fi|*, as was claimed above. The proof of this implication will 
be divided into two cases, fj < rj4; and f; > 7rj41. In the first 
case, the definition of rj, implies that |rj.1 — f;|? < A so of course 
Irita — fil? < |\ri— fi_1|?, as was to be shown. In the second case, the 
assumption |r; — f;-1|? > A implies f;-1+7i41 > fi +73, as was just 
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shown, so f; > rj41 implies 0 < fj—riag = fi-—rigatni-n < fi-i-":, 
and (f; — rj41)* < (fi-1 — 7:)*, as was to be shown. 

Once an i is reached for which |r; — f;-1|? < A—as has now 
been proved must eventually happen—the same inequality holds for 
all subsequent values of 7, as can be seen in the following way. The 
assumption |r; — f;-1|* < A implies f; + fj;-1 < 27r; in the same 
way that |r; — fi-1|\? > A implies f; + fi_-1 > 2r; above. Therefore, 
this assumption implies [7 + fi;ifi < 2r:f;, which is the same as 
fet+r2—A < 2r;f; or |fi-ril|? < A. If |\risi—fi|? were greater than A, 
then, by the definition of r;1,, f; would have to be greater than rj+1. 
(Otherwise, rj. — f; would be a smaller solution of r+ 9; = 0 mod f; 
whose square was larger than A.) Since rj; + 7341 > 2f;, this would 
mean that r; > f; and in fact that r; — f; > fi — ri4i1, which would 
imply (r; — fi)? > (fi —Ti41)? > A, which is not the case. Therefore, 
lri41 — f;|? must be less than A, as was to be shown. (It cannot be 
equal to A because A is not a square.) 


Therefore, from some point on, say for 7 > N, the inequality 
Ir; — fi-1]? < A must always be satisfied. The number A — |r; — 
fir? = A-—1r? — f?.,4+2rifj_1 is zero mod f;-1. In other words, 
fi-1 divides one of the numbers A, A—1, A-—4, A-9,... (a 
terminating sequence). This observation limits the possible values of 
fi-1 for 1 > N to a finite set. Since g;-1 < fi_1, the values of f;_-1 
and g;—1 in [f;-1, 9:-1 + VA] for i > N are limited to a finite set and 
the infinite sequence must eventually contain a repeat, as was to be 
shown. O 


After enough terms of the sequence [B, g + VA] = [fo, 90 + VA], 
ge V Al, lf2, 92+ V Al, ... are computed to find the first repeat, 
the entire sequence is known and the occurrences, if any, of [1] in the 
sequence can be explicitly determined. 


Theorem 2. [fn is an index for which [fn,9n + V Al = [1], then the 
coefficients of the hypernumber 
(7, + VA)(r2 + VA) ++: (tn + VA) 

Filo? at 


of formula (4) in Chapter 19 are a primitive solution of Ax?+B = y?. 


ytaVA= 
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The proof of this theorem will make use of the concept of the 
norm of a module, which is the product of the module with its con- 
jugate. By definition, the conjugate of a module in canonical form 
lel[f,g + VA] is the module [e][f, g’ + VA] where g is the smallest so- 
lution of g' +g =0mod f. Otherwise stated, g’ = f—g if g > 0, and 
g = 0 if g = 0. Another way to describe the conjugate of a module 
is to say that if the necessary and sufficient conditions for y + 2VA 
to be divisible by the module are x = 0 mode and y = gz mod ef, 
where g is a square root of A mod f, then the necessary and sufficient 
conditions for y+avA to be divisible by the conjugate of the module 
are x = 0 mode and y+ gr = 0 mod ef. 


Lemma. The norm of a module in canonical form [e][f,g + vA], 
defined in this way to be the product of the module with its conjugate, 
is given by the explicit formula [e? f|[d, g+V Al], where d is the greatest 


2 
common divisor of f, 2g, and ae 


The greatest common divisor of f, 2g, and Ao | will be called 


the content of {e][f,q + VA]. If the content of a module is 1, the 
module will be called primitive. 


Proof of the lemma. Given [e]|/,g + vA] in canonical form, let 9’ 
be the least solution of g’ + g =0 mod f. It is to be shown that 


lelif,9 + VAllelLf, 9° + VA] = le? flld, 9 + VA) 


where d is the content of [e][f,g + V/A]. When the module on the left 
is multiplied out and e? is canceled from all terms on both sides, the 
equation to be proved becomes 


f?, f(g + VA), f(g + VA), 99 + At (9+ 9')VAl = [f][d, 9 + VA. 


For sufficiently large numbers s and t, the module on the left can be 
written [f?, fg + fVA, sf? + fg’ — fg.tf? +99 +A- Ge: fg] = 
f?, fot fWA, sf2+fo'—f9,tf2+A—g?], which is [f][do, g+vA] when 


do is defined by [do] = [f, sf +g’ —g,tft+ a |. This equation implies 


f =0modd),g=sft+g' =gq' =—g mod dp, and ae = 0 mod do, 
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so dg divides d. Conversely, f, sf+g’—g andtf+ Ana * are all divisible 


by d, so dg = d and the proof is complete. LJ 


Proof of Theorem 2. The content of [f;~1, 9;-1 + V Al divides the 
content of [f;, 9; + vA], as one can see in the following way. 


Let d be the content of [f;-1,9;-1 + V Al. Because r; = ufj—1 — 
gi-1 for some u, the number f;f;-1 = r? — A can be written as 
u? f?_, — 2ufi-igi-1 + 9?_, — A, from which it follows that df;—1 
divides f; f;_1, so d divides f;. Because 2r; = 2g; mod f; and therefore 
29; = 2r; mod d, it also follows that 2g; = 2uf;_1 — 29g;_1 = 0 mod 
d. Finally, g; = r; mod f; means that g, + kf; = r; + lf; for some 
numbers k and 1; when both sides are squared and r? is replaced 
with A+ f; f;~1, one finds an equation in which all terms are divisible 
by df; except for the term g? in the first expression and the term A 
in the last. Therefore, g? = A mod df; and d divides the content of 
[fis 9; + VA], as was to be shown. 


Therefore, f, = 1 implies that [fo,90 + vA] is primitive and 
therefore implies, by the lemma, that [B,g + VA][B, 9’ + VA] = [B] 
where [B,g' + VA] is the canonical form of the conjugate of [B,g + 
VA. 


Multiply the equation 
ly +eVAl[B, 9+ VA] = [Bl 
that was found in Chapter 19 by [B, g’ + VA] and cancel [B] to find 
y+av Al =[B,g' + VAl 


which gives the canonical form of [y + av Al and shows in particular 
that x and y are relatively prime. Application of Brahmagupta’s 
formula to (r; + VA)(ro + VA)+:: (tn + VA) = Y+ XVA gives 
(r2 — A)(r — A)---(r2 — A) = Y* — AX? and therefore shows that 
Y? > AX?, and therefore, since Y + XV A is the numerator of y + 
av A, y? > Ax?. The number y? — Az?, call it C, satisfies [y+2V A] = 
IC, y+xrvV A] (see step (2) in Chapter 18). A common factor of C and 
z would be a factor of y?, contrary to the fact that x and y are 
relatively prime. Therefore x has a reciprocal mod C, call it u, and 
u(y + 2VA) can be annexed to the list to find [y + xv A] = [C,y+ 
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av A,uy + ux A]. The middle term is congruent mod C to x times 
the last, so it can be dropped, leaving [y + xvA] = [C, uy + urv Al], 
which is [C,h + VA], where h is the least solution of h = uy mod C. 
Since h? = u*y? = u* Ax? = A mod C, this is the canonical form of 
ly+avAl, so [B, g' +A] and [C,h+ VA] are identical. In particular, 


B=C=y? — Az’, as was to be shown. LI 


It remains to show that all solutions of Ax?+B = y? are obtained 
in this way. That is: 


Theorem 3. Every primitive solution of Ar? + B = y? is found by 
the method of Theorem 2 for some square root g of Amod B and for 
some index n. 


Proof. The proof will use the following algorithm to reverse the com- 
parison algorithm. 


Reduction Algorithm (so called because it reduces the value of X 
in the input equation). 
Let [B,g + VA] be a given module in canonical form. 


Input: A hypernumber Y + XVA in which Y? > AX? and X > 0 and 
for which the canonical form of the product [Y + XV A][B,g + VA] is 
[BILF, G+ VA] for some F and G. 

Algorithm: 

Let s be the smallest solution of s = G mod F for which sX > Y. 
Then (s — VA)(Y + XV A) is defined and congruent to 0 mod F, say it 
is F(Y, + X1V A). 

Output: A hypernumber Y; + X1VA in which Ye > AX? (but X , may be 

zero) and the canonical form of the product [Y; + X1V A][B,g + VA] is 


[B\[Fi,Gi + V Al, where Fy = ae and Gi +s =0 mod F}. 


The hypernumber (s— VA)(Y +X VA) is meaningful, which is to 
say that VA(Y + X vA) can be subtracted from s(Y + Xv‘A). In the 
case of the coefficient of V/A this is simply the condition sX > Y of 
the definition of s; in the case of the other coefficient, it follows from 
the observation that (sX)* > Y* > AX? and X # 0 imply s? > A, 
so s*Y* > A- AX? = (AX)? and sY > AX. 


The input equation implies (Y + XVA)B = 0 mod [BF, B(G + 
VA)] and therefore implies Y + XVA = 0 mod [F,G + VA], di- 
rectly from the definitions. By the corollary of Chapter 18, then, 
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Y = GX mod F. Therefore, Y = sX mod F’, which shows that the 
coefficient of VA in (s — VA)(Y + XV A) is divisible by F. That 
the other coefficient is also divisible by F' follows from the observa- 
tion that it is sY - AX = GY — G?X = G(Y — GX) =0 mod F. In 
short, the equation (s— VA)(Y +X VA) = F(Y,+X1v A) determines 
Yi + XiVA. 


Because s is the smallest number congruent to G mod F for which 
sX > Y, the inequality sX < FX+Y must hold, so PX, =sX—Y < 
FX and X; < X. 


That AX? < Y/? follows from a simple variation of Brahmagupta’s 
formula that is easy to prove (see Exercise 2), namely, the formula 
A(sX — Y)? + (s? — A)(Y? — AX?) = (sY — AX)?, which implies 
APA < Bey 

The output equation can be deduced in the following way. Be- 
cause s? = G* = A mod F, the number s? — A is divisible by F, say 
s*?— A= FF. Let G, be the least solution of G; + s = 0 mod F;. 
The equation 


(G,4+ VA)(s+ VA) + FPF, F =Gist+(Gi+s)VA+A+8?—A 
= (G, + s)(s+ VA) =qFi(s + VA), 


where q is defined by G; + s = qF\, shows that the module [(G, + 
V A)(s +A), FF, Fi(s+VA)] is unchanged if either of the first two 
terms is dropped from the list. Thus 


[F\F, F\(s + WA)] = [((Gi + VA)(s + VA), Fi(s + VA)], 
which is to say 


[FALE s+ VA] = [s+ VAIL, Gi + VAI. 
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Therefore, 


[Fl[s + VA][Mi + Xi VAl[B, 9 + VA] 
= [s+ VA][F(Yi + XivA)][B,g + VAl 
= [s+ VAl[(s — VA)(Y + XVA)I[B,g + VAI 
= [s? — AJ[BILF,G + V4] 
= [F\F|[BI[F,s+VAl 
= [F][s + VA][Fi, Gi + VAJ[BI. 


The very definition of equality of modules implies that the common 
factor F(s+ A) can be canceled from all terms in the lists at the be- 
ginning and end of this long equation to reach the desired conclusion 


M+ XiVAl[B, 9 + VA] = [B][Fi, Gi + VAI. 


Now let (X,Y) be a solution of AX? + B = Y? in which X and 
Y are relatively prime. Then B and X must be relatively prime, so 
the congruence Y + gX = 0 mod B determines a square root g of 
A mod B for which [Y + XV A][B,g + VA] = [B(Y + XV A), Yg + 
AX + (Y¥ + 9X)VA] = [B][Y + XVA, R+ SVA] where R = *2tA* 
and S = ytg* (Because Yg + AX = g(Y + 9X) = 0mod B, “this 
expression for R defines a number.) Then S(Y +X vA) = baer + 
SXVA= AX™+B+9X¥ 4 ox /A = 14+ X(R+SVA), s0o0= Sad 
[YY + XVA,R+ SVA]—that is, [Y + XVA,R+SVA] = [1]}—and 
[Y + XVA][B, 9 + VA] = [B] follows. 

Let the reduction algorithm be applied to [Y +X V'A][B, g+v A] = 
[B] repeatedly to generate a sequence of equations [Y; + X;vA][B, g+ 
V A] = [B][F;,G; + VA], beginning with Fy = 1 and ending, because 
X = Xp > Xi > X2q >-:--, with an equation in which Xy = QO, 
say [Yv][B,9g + VA] = [B][Fv,Gn + VA]. Since both sides are in 
canonical form, Yy = B= Fy andg=Gy. 

Let the ith equation in this sequence be [Y;+X;V A][B, g+V A] = 
[B][F;,G; + VA] so that [Fo, Go + VA] = [1] and [Fy,Gy + VA] = 
[B,g + VA]. As will be shown, [F;-1,G;_1 + VA] is the module that 
results from applying the comparison algorithm to [F;,G; + V Al and 
the number used by the reduction algorithm to go from the (i — 1)st 
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equation to the zth zs the number used by the comparison algorithm 
to go from Fi, G; ae V Al to [Fy—1, Gi-1 + Vv Al. 

Let s; be the number used by the reduction algorithm to go from 
the (2 — 1)st equation to the ith, and let t; be the number used by 
the comparison algorithm to find the successor of [F;,G; + Al]. It is 
to be shown that the successor of |F;,G; + V Al is |F;-1, Gj_1 + V Al 
and that s; =¢; fori =1,2,..., N. 


Since Se > A and s;+ G; = 0 mod F;, the only way that s; could 
fail to be t;—the only way there could be a number smaller than s; 
and congruent to s; mod F; whose square was greater than A—would 
be for s; to be greater than F; and for (s; — F;)? to be greater than 
A. If this were the case, it would follow that s? + F? > 2s;F; + A, 
F;_1 + F; > 2s; (subtract A from both sides and divide by F;), and 
Fy-, > 2s; — Fj; > s;. Then F;_; — s; would be a number greater 
than s; — F; whose square was greater than A. In particular, s; 4 ¢, 
is impossible because Fo = 1 implies that Fo > s; is impossible. 

Ifz > 1, s; # ¢; would imply F;_1 = s; + %t;_1 for the following 
reasons. Mod F;_1, one has s; +¢;_-1 = (s; —-G;_1) + (ti-1+ Gi_1) = 
0+ 0, so s; +¢;_1 is divisible by F;_,. If the quotient were not 1, it 
would follow that s;+t;_, > 2F;_1. It was shown above that F;_1—s; 
must be a number whose square is greater than A, so t;_1 — Fjy_1 = 
F 1 — 8; would also be a number whose square was greater than A, 
contrary to the definition of t;_,. Therefore, F;_; = 5s; +t;_1, as was 
to be shown. 


Finally, if 2 > 1 and s;_1; = t;_1, then s; = t; because otherwise 
Fy, = 8; +t_1 = 5; + 8;_1. The formula 


(s;_1 — VA)(Yi_-2 + X;_2V A) 


=Y¥i14+X1VA 
Fy-2 


can be multiplied by s;_; + VA to find F;_1(Yi-2 + X;-2VA) = 
(s;-4+ VA)(Yi-1 + X44 VA). In particular, F;—1X;~-2 = $;-1X;_-1+ 
Y;-1. Since X;_2 > Xj_1, it would follow that s;_,X;-1 + Y;_-1 > 
Fy-1 X4-1 = $;Xj-1 + $;-1Xj4_1 and Yj;_1 > s;X;_1, contrary to the 
definition of s;. 
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In summary, then, s; = t; fori = 1, 2,..., N and application of 
the comparison algorithm N times to [Fy,Gy + VA] =[B,g+VAl 
ends with [Fo, Go + VA] = [1]. 

Multiply (s; = VA)(Yi-1 + X;-1VA) = Fyo1(% a X,VA) by Soa 
VA and divide by F;_; to find F,(Y;_1 + X;-1VA) = (s, +VA)(Y%i+ 
X;V A). The product of the N equations found in this way is 

N-1 

[] + XV): Pw Fw Fi 

i=0 


=] [(% + Xiv/A) - (81 + V'A)(s2 + WA) ++ (sy + VA). 


— 


mn 


Cancellation of the nonzero common factor hee + X;VA) then 
gives (Y+X VA): BFy-1Fw-2°-- FP, = B-(ty +WA)(to+WA) +: (tw t+ 
VA). In short, the solution Y + X VA = (at VAN Gat VA) ltwt VA) ig 

the one that results when the method of the theorem of Chapter 19 
is applied to [B,g + VA A] and N steps of the comparison algorithm 


are taken. 
ia 


Exercises for Chapter 20 


1. For each of the solutions of ALJ+ B = U) that you found in 
the exercises of Chapter 19, use the reduction algorithm to retrace 
the steps from [B,g + VA] to [1]. 

2. Prove the variation of Brahmagupta’s formula alluded to in 
the proof of Theorem 3. 


3. Find the contents of several of the stable modules listed in the 
appendix (page 169), focusing, of course, on the modules that are not 
primitive. 


Exercises on Fundamental Units 


The exercises that follow draw on some simple concepts of alge- 
braic number theory. This is not the place to enter into explanations 
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of them, but readers already familiar with them, or readers willing 
to study them in books on algebraic number theory, may find the 
exercises interesting and challenging. Moreover, only a very little 
understanding of these concepts is necessary to understand the cal- 
culations, which in the end merely involve solutions of AL)+ B =U. 
Exercise 13 below gives an interesting simplification of the computa- 
tion of the solution of Pell’s equation AJ+1 =U in the most difficult 
cases. 


A quadratic number field is a field that is obtained by ad- 
joining to the field of rational numbers one root of one irreducible 
quadratic polynomial with rational coefficients. Elementary consid- 
erations (complete the square) show that every such field can be put 
in the form Q(VA) where A is an integer (possibly negative) that is 
not O or 1 and is divisible by no square greater than 1. Operationally, 
such a field is the set of expressions of the form y + ¢VA in which x 
and y are rational numbers. They are added, subtracted, multiplied, 
and divided in the usual ways. 


An element of a quadratic number field is called an algebraic 
integer if it is a root of a polynomial of the form X? + aX + b 
in which a and 6b are ordinary integers (that is, either a or —a is 
a number in the sense of Chapter 1 and the same is true of b). A 
nonzero element of a quadratic number field is called a unit if both 
it and its reciprocal are algebraic integers. 


The fundamental theorem about units of quadratic number fields 
states that each quadratic number field contains a unit ¢ with the 
property that every unit in the field can be written in the form +e” 
for some choice of the sign in front and for some integer n. (Again, 
to say that n is an integer means that either n or —n is a number.) 
Such an ¢ is called a fundamental unit of the quadratic number 
field to which it belongs. 


The following exercises are concerned with the construction of 
a fundamental unit (and therefore of all units) of each quadratic 
number field Q(VA), where A is divisible by no square greater than 1 
and A #0 or 1. 
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4. Show that y + cVA is an algebraic integer when x and y are 
ordinary integers. A great step forward in the history of algebraic 
number theory occurred in the middle of the 19th century when the 
importance of the notion of algebraic integers became clear, along 
with the realization that there are some algebraic integers y + rVA 
in which x and y are not integers. Prove that 1+vA 
integer when A = 1 mod 4. 


is an algebraic 


A basic theorem states that sums and products of algebraic inte- 
gers are algebraic integers. Therefore, Exercise 4 implies that evs 
is an algebraic integer whenever A = 1 mod 4 and z and y are both 
odd. Another basic theorem of algebraic number theory implies that 
the cases listed give a complete catalog of the algebraic integers in the 
field Q(VA); that is, the algebraic integers in Q(VA) are simply the 
elements y + xVA in which x and y are ordinary integers, except 
that when A = 1 mod 4, the elements in which both x and y are odd 
integers divided by 2 are also algebraic integers. The problem is to 
determine which of these integers are units and to show that one of 
them is a fundamental unit. 


5. Prove that if an algebraic integer is a root of a polynomial of 
the form X? + cX +d in which c and d are rational numbers, then c 
and d must be integers. 


6. Prove that if yt+avV A is a unit of Q(VA), then y? — Ax? = +1. 
[The rational number y? — Az?, called the norm of y + zvA, is the 
coefficient b of the polynomial X? + aX + b of which y+2VA is a 
root.| 


7. Find all units in all fields Q(VA) in which A is negative. 


For positive A, each unit of Q(V A) determines a solution of Ar?+ 
1 = y* or Ax? = y* +1 or, when A = 1 mod 4, perhaps a solution 
of Av? +4 = y? or Ax? = y*? +4 in which zx and y are numbers; 
conversely, the numbers that are determined in this way determine 
the coefficients of the corresponding unit, except for their signs, so 
the theorem of Chapter 19 suffices to find all units. 


8. A solution of Ar? = y* + 1 implies a solution of z* = Ay? +A 
in which z = Omod A. The theorem of Chapter 19 tells how to 
find all solutions of Ay? + A = z*. Show that if this equation has 
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a solution then repeated application of the comparison algorithm to 
[1] goes through an even number of steps before returning to [1]; in 
fact, the first half of the steps go from [1] to [A, vA] and the second 
half of the steps return in a symmetrical way from [A, VA] to [1]. 
Moreover, the smallest solution of Pell’s equation for such an A is 
given by a hypernumber of the form y,; + 213VA = (eatuav Ay where 
zo + yoV A gives the smallest solution of z? = Ay? +A. Prove that 
Z2 = 0 mod JA, so that the smallest solution of Pell’s equation can in 
fact be written in the form (y2-+22V A)? where x2 = z2/A and where, 
consequently, the coefficients of y2 + 22VA give the smallest solution 
of Arg = y2 +1. 

9. Prove that if Ax? = y? + 1 has a solution (in numbers), then 
the hypernumber ¢€ = y2 + 22V A, where Ax? = y? +1 is the smallest 
solution, has the property that all units whose coefficients are integers 
have the form te” for integer n, and that otherwise the hypernumber 
e=y, +21V A, where Ax? + 1 = y? is the smallest solution of Pell’s 
equation, has that property. 


10. It remains to find the units that have a 2 in the denominator. 
The condition A = 1 mod 4 is necessary for Q(vA) to contain such 
units. Prove the stronger necessary condition A = 5 mod 8. 


11. Show that when A = 37, there are no units of the form 
SS. More generally, how can one determine, for a given number 
A =5mod 8, whether Q(vA) contains such units? 


12. If [4, 1+ A] is in the cycle of [1] and and [A, VA] is not in the 
cycle of [1], the cube of a fundamental unit gives a unit y; +21VA that 
describes the smallest solution of Pell’s equation. Give an algorithm 
for constructing such a fundamental unit and apply it in the cases 
A = 21 and 69. 


13. Finally, when A = 5 mod 8 and both [A, VA] and [4,14 VA] 
are in the cycle of [1], the hypernumber y, + 21VA whose coeffi- 
cients give the smallest solution of Pell’s equation is the sixth power 
of a fundamental unit. A method for finding a fundamental unit 
that seems to be effective in these cases is to note that the modules 
[A, V.A][4, 1 + VA] and [A, VA][4,3 + VA] must both be in the cycle 
of [1]. When the method of Chapter 19 for writing a module in the 
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cycle of {1] in the form [y + xv A] (where y? > Ax?) is used, one of 
these two modules turns out to be much easier to write in this form 
than the other. Then division by /4A = 2VA gives a fundamental 
unit. Use this method to find a fundamental unit in the first seven 
cases of this type, namely, A = 5, 13, 29, 53, 61, 85, and 109. (The 
value A = 45 is skipped because Q(V/45) = Q(V/5).) Note that this 
gives a much shorter computation of the solution of Pell’s equation 
for A = 61 than Exercise 4 of Chapter 19 does. 
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Chapter 21 


Euler’s Remarkable 
Discovery 


The solution of ALI+ B = U begins by finding all possible square 
roots of A mod B. In particular, it requires determining whether A 
has a square root mod B. Just as testing a number for primality is 
a very different and much easier problem than factoring the number, 
so is determining whether a number A has a square root mod B a 
different and easier problem than finding a square root of A mod B. 


When B is a product B = B; Bo, a square root of A mod B, Bo 
determines a square root of A mod B, and a square root of A mod Bo. 
When B, and By are relatively prime, the Chinese remainder theorem 
implies that, conversely, a square root of A mod B, and a square root 
of A mod Bz can be combined to find a square root of A mod B, Bog. 
Therefore, the problem of finding square roots of A mod B reduces 
to the case in which B is a power of a prime number. Since a square 
root of A mod p® for e > 1 is a square root of A mod p, the solution 
of ALJ+ B =U leads in this way to: 


Problem. Given a number A, not a square, for which primes p is A 
a square mod p? 


For a given p, it is easy to determine the numbers A that are 
squares mod p in the following way. Given a prime p > 2 and a num- 
ber A, not a square, let C,(A) denote what is called the quadratic 
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character of A mod p, which is 1, 0, or —1 according to the rule: 
C,(A) = 1 if A is congruent to a nonzero square mod p, C,(A) = 0 if 
A is zero mod p, and C,(A) = —1 otherwise." 


Proposition. C,(A) = A'°~))/? mod p. 


This statement is often called Euler’s criterion for determining 
whether A is a square mod p. 


Proof. Let g be a primitive root mod p. If A = 0 mod p, then of 
course A'?-1)/2 = Q = C,(A) mod p. Otherwise, A = g* mod p where 
1 is the index of A with respect to g. Since A is a square mod p if and 
only if? i is even, Af?-1)/? = giP-1)/2 = (-1)'} = C,(A)modp. O 


Corollary. For any prime p > 2 and for any numbers A and B, 
Cp(AB) = Cp(A)Cp(B). 


Deduction. From (AB)(®~1)/2 = A-))/2 B@-)/2 it follows that 
(AB)®-D/2 = A@-1)/2 B&-)/2 mod p, so the proposition implies 
C,(AB) = C,(A)C,(B) mod p, from which C,(AB) = C,(A)C,(B) 
follows. C 


But C,(A) tells which numbers A are squares modulo a fixed 
p and therefore does not address the problem above, in which A is 
fixed and p varies over all possible primes. Euler studied the problem 
around 1753 and discovered empirically the amazing fact that 


(1) the value of C,(A) depends only on the value of p mod 4A. 


In other words, if p and q are primes and if p = gq mod 4A, then 
C,(A) = C,(A). Euler was able to test enough cases to be thoroughly 
convinced that this rule held in all cases, even though he realized that 
it is an open-ended statement that could never be proved empirically. 


Strictly speaking, then, Cp(A) is not a number, as far as this book is con- 
cerned, because —1 is not a number. One can smooth this over by thinking of the 
values of Cp(A) as being 0, 1, or 3 mod 4. All that matters is the multiplication 
table: 0-0 = 0, 0-1=0, 0-(—1) = 0, 1-1 = 1, 1-(—1) = —1, and (—1)-(—1) = 1, 
which is the multiplication table of 0, 1, and 3 mod 4. 

2See the proposition of Chapter 15. 
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(Note that if p divides 4A, then p = 2 or p divides A, so p = 
qmod 4A holds only when q = p, which shows that (1) is trivially 
true for such primes.) 


Actually, Euler’s reasons for being convinced of the truth of (1) 
went beyond simple testing of individual values of C,(A) for fixed 
A and varying p. He went on to develop more detailed conjectures 
about the values of C,(A), the chief one of which is that 


if p, g, and r are primes for which pg = r mod 4A then 
(2) Cp(A)Cq(A) = Cr(A). 


This statement superficially resembles the corollary above, but it is a 
far different and more surprising statement; note, for example, that 
pq is not prime, so (2) is a statement about primes r congruent to 
pq mod 4A when there is in fact no obvious reason to believe that 
there even is a prime r congruent to pg mod 4A. A third observation 
comes to light very quickly when (1) and (2) are explored, namely, 


C',(A) takes the value 1 for exactly half of the possible 
(3) values of p mod 4A and the value —1 for the other half. 


(when one excludes the few primes that divide 4A and when one 
assumes, as is assumed throughout, that A is not a square). That 
is, one can partition the ¢(4A) numbers less than 4A and relatively 
prime to 4A into two sets of equal size in such a way that C,(A) = 1 
for primes p congruent to numbers in one set and C,(A) = —1 for 
primes p congruent to numbers in the other.°® 


When one explores the implications of these three conjectures— 
see the exercises—one develops a tightly woven web of methods for 
predicting the values of C,(A) for a given A that is always borne out 
by computation. It is in this way that Euler could convince himself 


3In the language of group theory, the numbers less than 4A and relatively 
prime to 4A form a group of order ¢(4A). Statements (1), (2), and (3) say that 
there is a subgroup of index 2 in this group with the property that Cp(A) = 1 if 
and only if the class of p mod 4A is in this subgroup. There is no assertion here 
that every number relatively prime to 4A is congruent to a prime mod 4A but a 
famous theorem of Dirichlet proves that this is in fact true. 
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and his readers that the statements were true, even though he could 
not prove them. 


A phenomenon of this sort—a detailed, simple prediction that 
holds up under extensive testing—suggests that there will be a sim- 
ple explanation that can be discovered by looking at the phenomenon 
in a different way. No doubt Euler in 1753 looked for a simple ex- 
planation. But he didn’t find one. He lived until 1783, and some of 
his investigations focused very narrowly on questions of exactly this 
type, but he was never able to prove his conjectures of 1753. 


The young Gauss published not one but two proofs of them in 
the Disquisitiones Arithmeticae in 1801, but although he succeeded 
after considerable effort in proving that the statements were correct, 
he does not seem to have explained them to his satisfaction, because 
he continued to study questions related to them as he searched for 
a deeper understanding of the phenomenon. His search resulted in 
many intriguing observations and alternative statements, but a cer- 
tain mystery remained and still remains about the “real explanation.” 


Euler’s conjectures acquired the imposing name of The Law of 
Quadratic Reciprocity during the 19th century and came to be seen as 
a major focus of elementary (and not-so-elementary) number theory. 
The reason for the term “reciprocity law” will be seen in Chapter 27. 
But in more modern times the “reciprocity” feature has come to seem 
less important, and modern “generalized reciprocity laws” do not in 
fact take the form of a statement about reciprocity. Instead, Euler’s 
original observation (1) seems to be the core idea. In order to have a 
convenient name for it, in the chapters that follow it will be called: 


Euler’s Law. Let p, g, and A be numbers, A not a square. If p and 
q are prime and if p= q mod 4A, then C,(A) = C,(A). 


Exercises for Chapter 21 


Study Questions. 


1. For A = 2, 3, 5, and 6, list the ¢(4A) numbers that are less 
than 4A. For each listed number, find at least two primes that are 
congruent to it mod 4A and use Euler’s criterion to determine whether 
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A is a square modulo them. Verify that C,(A) has the same value 
for all the primes p you have listed that are congruent to the same 
number mod 4A. If the common value is 1, draw a circle around the 
number and otherwise draw a square around it. Note that Euler’s 
properties (2) and (3) are valid for these four values of A. There is a 
fourth fact about the distribution of circles and squares that relates 
the values of C,(A) and C,(p) when p+q = 0 mod 4A. Find it. Carry 
the process beyond A = 6. 


2. For larger values of A, try finding the numbers that get circles 
using as few tests as possible. By Euler’s property (2), any number 
less than 4A and relatively prime to 4A that is a square mod 4A must 
get a circle. Thus, 1, 9, 25, 49, ... all get circled as long as they are 
less than 4A. So do 44 —1, 4A —9,.... For A = 2, 3, and 5, these 
simple observations account for all of the circled numbers, because 
these observations imply that half of the numbers must be circled, so 
the remaining numbers must all get squares. For A = 6 one needs 
only one test—namely, the easy observation that 6 is a square mod 
5—to find that 5 should be circled, after which all circled numbers 
are accounted for. How many tests do you need when A = 15? Try 
others. 


3. Show that if A is prime, one can determine the circled numbers 
by the method of Exercise 2 without doing any tests. The resulting 
statement is one version of the law of quadratic reciprocity. 


Computations. 

4. Choose a 5-digit number A, not a square, and find a 10-digit 
prime p. Find a number 7 for which p+ 474A is prime, call it q, and 
then apply Euler’s criterion to verify that C,(A) = C,(A). 
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Stable Modules 


The comparison algorithm applied to a module [f, g+- A] in canonical 
form (with e = 1) determines another module [f;, 91+ A] in the same 
form, the successor of [f,g + VA]. The sequence of successors 
of [f,g + VA] is the infinite sequence [f1, 91 + VA], [fo,g2 + VA], 

. in which each new module is the successor of the one that came 
before. A module [f,g + VA] will be called stable if it occurs in its 
own sequence of successors, so that the sequence of successors cycles 
back to [f,g + vA] itself and then endlessly repeats the same cycle. 


Theorem. Let A be a given number, not a square. For each number 
k whose square is less than A and for each factor f of A — k? that 
satisfies f > 2k, the modules [f,k + VA] and [f, f —k + VA] are 
stable modules, and every stable module for this A has this form. In 
particular, the number of stable modules is twice the number of pairs 
(k, f) that satisfy these requirements (that k? < A, k? = Amod f, 
and f > 2k) minus the number of such pairs for which [f,k + VA] = 
if, f -—k+VA] (or, more specifically, minus the number of such pairs 
in which! k = 0 or 2k = f). 


1When k = 0, [f,k + WA] = [f, f —k+ WA] but the latter is not in canonical 
form. When k > 0 and f = 2k, [f,k + VA] and [f, f — k + WA] are identical. 
Otherwise, |f,k+ VA] and [f, f —k +A] are in canonical form and not identical, 
so they are distinct. 
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Proof. Let M denote the set of all modules [f,g + VA] for which 
|r — f|? <_A, where r is the number used by the comparison algorithm 
to find the successor of [f, g + V.A]—that is, where r is the smallest 
solution of r+ g = Omod f for which r? > A. It was shown in 
Chapter 20 that M is a finite set and that the successor of a module 
in M isin M. Thus, the function that assigns to each module in M 
its successor is a function from the finite set M to itself. 


This function is one-to-one because the successor [f1, 91 + VA] of 
[f,g + VA] determines [f,g + VA] in the following way. First, r is 
the least number congruent to g; mod f; for which r* > A, because 
if it were not, then r would be greater than f, and (r—f,)* would be 
greater than A, which would imply r?+ f? > 2rf,+A, ffi+f? > 2rf_, 
f+fi> 2r, f?+ffi> arf, f? +r? > 2rf +A, contrary to the 
assumption |r — f|? <A. Then f is determined by f = (r? — A)/f; 
and g is determined as the least solution of g +r =O mod f. 


Thus, the successor function, being a one-to-one function from a 
finite set to itself, is an onto function, which is to say that it is simply 
a permutation of M. It therefore partitions M into cycles, and the 
sequence of successors of any module in M is a cycle, so all modules 
in M are stable. 


No other modules are stable, because, as was shown in Chapter 
20, the value of |r — f|? for a module not in M decreases for successive 
modules until M is reached. What is to be shown, then, is that the 
description in the theorem describes the modules of M. 


The modules [f,k + VA] or [f, f — k + vA] described in the 
theorem are in M. In the case of [f,k + VA], r = jf — k for some 
j > 1; if 7 =1, then k = f —1r, so |r — f|? = k? < A, but if 7 > 1, 
then r > 2f-—k=f+(f—k)> f and (r— f)? < A by the definition 
of r. In the case of [f, f —k+~ A], r has the form r = jf +k for some 
7; the condition k* < A implies 7 40, so r > f and (r — f)? < A by 
the definition of r. 

Finally, a module in M is one of those described by the theorem, 
as can be seen in the following way. To say that [f,g + VA] is in M 
means that |r — f|? < A, where r is defined as before. Let | = |r — f]. 
Then I? < A and l? =r? —2rf + f* =r* = Amod f. If! > f, then 
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l, =1—f satisfies 1? < l? < A and I? = /? = Amod f. Similarly, if 
l, > f, then ly = 1, —f satisfies 13 < A and 12 = A mod f. Continuing 
in this way, one must eventually reach an 1; for which 1? < A, I? = 
Amod f, and 1; < f. Let m=1,. If 2m < f, then [f,m+ VA] and 
[f, f -m+wA] are both among the modules listed by the theorem. If 
2m > f, then m’ = f—m satisfies 2m’ = 2f —-2m = f—(2m—f) < f, 
as well as (m’)? = f? —2mf +m? < f? — f?+m? =m? < A and 
(m’)? = m? = Amod f, so both [f,m’ + VA] = [f, f —m+ VA| 
and [f, f — m’ + VA] = [f,m+ VA] are listed by the theorem. The 
given module is [f,r + VA] (not necessarily in canonical form); since 
|= |r — f| =+r mod f and m =! mod f, the given module is either 
[f,m + VA] or [f, f — m+ VA], both of which are listed by the 
theorem. a 


Once the stable modules have been listed, the comparison algo- 
rithm can be used to partition them into cycles. 


Exercise for Chapter 22 


The table in the appendix (page 169) gives one stable module 
from each cycle of stable modules for each value of A, not a square, 
less than 112. Choose a value of A, use the theorem of this chapter 
to find all stable modules for the chosen A, and use the comparison 
algorithm to find how they are partitioned into cycles. Then compare 
your answer to the table in the appendix. (The meaning of the + and 
— signs in the tables will be explained in Chapter 24.) 
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Equivalence of Modules 


As before, let A be a fixed number, not a square, and let all hyper- 
numbers and all modules of hypernumbers be understood to derive 
from this A. 


Definitions. A module is principal if it can be expressed in the 
form [yt+aV A] where x andy are numbers for which Ax? < y*. Two 
modules M, and Mz are equivalent, written M, ~ Mo, if there are 
principal modules P, and P2 for which P,;M, = P2Mo2. 


Brahmagupta’s formula implies that a product of principal mod- 
ules is principal because the product of [y + «Vv A] and [v + uv A] is 
[(yu + Aru) + (yu+ xv)V A] and Brahmagupta’s formula states that 
A(yu + xv)? + (y? — Ax?)(v? — Au?) = (yu + Azu)?, so y* > Ax? 
and v* > Au? imply (yu + Aru)? > A(zrv + yu)*. This property 
of principal modules is used in the proof that “equivalence,” as it is 
defined above, is transitive: If M, ~ Mz and M,; ~ Ms, there are 
principal modules P,, P2, Qi, and Q2 for which P,M, = P)Mp2 and 
QM, = Q2M3; then P2Q1M2 = Pi Q1M, = PiQ2M3 and P,Q, and 
P,Q2 are principal, which shows that Mz ~ M3. 

As is obvious from the definition, “equivalence” is also reflexive 
and symmetric, so it is a true equivalence relation. Moreover, it 


is consistent with the multiplication of modules in the sense that 
M, ~ M2 implies M, M3 ~ M2Msz3 for all modules M3. 
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Problem. Given two modules, determine whether they are equiva- 
lent. 


The comparison algorithm produces an equation [r + VA][f,g + 
VA] = [f]Lf1, 91 + WA] which shows that [f1, 91 + VA] ~ [f,g+ VA] 
because [r + VA] and [f] are principal modules. (Recall that r? > 
A by the choice of r.) Therefore, a module is equivalent to all of 
its successors. In particular, every module is equivalent to a stable 
module. Therefore, to be able to determine whether two modules are 
equivalent, it will suffice to be able to determine whether two stable 
modules are equivalent. 


Since a stable module is equivalent to its successors, a sufficient 
condition for two stable modules to be equivalent is for them to be 
in the same cycle. The problem will be solved by proving that this 
sufficient condition is also necessary: 


Theorem. Equivalent stable modules lie in the same cycle. 


A module [e][f, g + VA] in canonical form is equivalent to [f,g + 
VA]. Therefore, the assumption that two modules in canonical form 
elif, g+v A] and [E][F, G+ vA] are equivalent is the assumption that 
there are hypernumbers s + rVA and v + uvWA for which s? > Ar? 
and v2 > Au? and [s+ rVAl[f,g + VA] = [v + uVAJ[F,G 4+ VAI. 


This assumption can be put in simpler form using: 


Lemma. Given a principal module [v + uv A], there is a principal 
module [V + UV A] for which [V + UV Al]lv + uv A] = [n] for some 


nonzero number n. 


Proof. Since [1] is a stable module, it occurs infinitely often in the 
sequence of its successors and the theorem of Chapter 19 implies that 
the equation Ar? + 1 = y? has infinitely many solutions. Moreover, 
the numbers x and y in successive solutions grow without bound, so 
there is a solution of this equation in which x > u. Then (uy)? = 
u*(Axz? +1) < Au?x? +27 = (Au? +1)z? < (vax)? (because Au? < v? 
implies Au? + 1 < v2). In short, uy < vz. Furthermore, v7y? > 
(Au?)(Az?) = (Auzx)?, so vy > Aux. Therefore, (y+ 2VA)(v—uvA) 
is a well-defined hypernumber in the sense that (y + 2VA)uv A can 
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be subtracted from (y+2VA)v, say V+UVA = (ytavA)(v—uv A). 
Then [V + UVAllu + uv) = [(y + 2VA)(v — uVA)(v + uA) = 
(y + av A)(v2 — Au?)] = [v? — Au?|[y + 2VA] = [v? — Au?] (because 


1 = y*— Az? implies [y+2V A] = [1,y+2v A] = [1]), which completes 
the proof of the lemma. L 


Proof of the theorem. The lemma shows that it will suffice to 
prove that if [f, g+ A] and [F, G+vA] are stable modules in canoni- 
cal form and if there is a hypernumber Y +X VA for which Y? > AX? 
and [Y + XVAl[f,g + VA] = [E][F,G+ VA], then [f,g + VA] and 
[F, G+ Al] are in the same cycle. 


Because the equation can be multiplied by [f], if needed, one 
can assume without loss of generality that E is divisible by f—that 
is, that the given equation has the form [Y + XVAl[f,g + VA] = 
[fE][F,G+WVA]. Then (Y+X VA) f = 0 mod [fE][F, G+ VA] implies 
fX = Omod fF and fY = GfX = 0mod fEF by the corollary 
of Chapter 18. Since these congruences imply X = 0 mod EF and 
Y = GX mod EF, they imply that both X and Y are zero mod E 
and division by [EF] puts the given equation in the form 


(1) YY + XVAI[f,9 + VA] = [fF G+ VA) 


for a new hypernumber Y + XV A in which Y* > AX”. In short, the 
equivalence of [f,g + VA] and [F,G + VA] implies an equivalence of 
the special form (1). 


If X = 0, equation (1) implies that [f, +A] and [F,G+~V Al are 
identical. Otherwise, let the reduction algorithm be applied to (1) as 
in Chapter 20 to find a sequence of equations [Y;+X;v A][f, g+V A] = 
(fF, Gi + VA] in which X = Xp > X1 > +++ > Xp = 0. As 
before, let s; be the number used by the reduction algorithm to go 
from the (i — 1)st equation to the ith and let t; be the number used 
by the comparison algorithm to find the successor of [F;,G; + vA]. 
By the same argument as before, s; ~ t; would imply F;_1 > s; 
and (F;_, — s;)? > A. This is impossible when 7 = 1 because then 
x = Fo — 8; would be the smallest solution of x + Go = 0 mod Fo and 
(Fo — 81)” > A would contradict the assumption that [Fo,Go + Vv A] is 
stable. Also as before, s;_; = t;_1 fori > 1 implies s; = t;. Therefore, 
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[F,G+ VA] = [Fo,Go+vV A] is the Nth successor of [Fy, Gy +v A] 
[f,g +A]. In particular, [F,G + VA] is in the cycle of [f,g + VA 


as was to be shown. 


——— 


? 


L 


Thus, equivalence classes of modules for a given A correspond 
one-to-one to cycles of stable modules for that A. The principal 
modules are those that are equivalent to [1]. (In fact, they are called 
“principal” because they are in the principal equivalence class, the 
class of the module [1].) Because there is a natural way to multiply 
equivalence classes of modules—the equivalence class of a product of 
two modules is determined by the equivalence classes of the factors—it 
follows that there is a natural way to multiply cycles. This multipli- 
cation of cycles is commutative and associative, and the principal 
cycle, the cycle of [1], is an identity with respect to this multiplica- 
tion. 


Recall that a module is primitive if its content is 1 (Chapter 
20). 


Proposition. A module is primitive if and only if its equivalence 
class is invertible relative to the multiplication of equivalence classes 
that was just defined. Otherwise stated, a given module is primitive 
if and only if there is a module whose product with the given module 
is equivalent to [1]. 


Proof. A primitive module [e][f,g + VA] is invertible because its 
norm—it product with its conjugate—is [ef], which is equivalent to 
[1]. That the converse holds—an invertible module is primitive—can 
be proved in the following way: 


Let [e? f][d, g + VA] be the norm of [e][f,g + VA] as in Chapter 
20. Then [d,g + VAJ[f,9 + VA] = [df,d(g + VA), f(g + VA), (9 + 
VA)?] = [df,d(g + VA),g? + A + 2gVA] because f is a multiple 
of d. Moreover, 2g is a multiple of d, say 2g = qd, and subtraction 
of q times the middle term from the last gives g* + A — qdg = g* + 
A — 2g? = 0 mod f, so the last term can be dropped, leaving [d, g + 
VAI[f,9 + VA] = (df, d(g + WA)] = [d][f, 9 + VA]. Therefore, [d, 9 + 
VA\[f,g+vA4l ~ [f,g+ WA]. If [e][f, 9g + VA] is invertible, there is a 
module [E][F, G+ A] whose product with [e][f, g+ vA] is equivalent 
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to [1], so multiplication of [d,g + VAl[f,g + VA] ~ [f,g + WA] by 
le] [E][F, G + VA] then gives [d,g + V/A] ~ [1]. 

Thus, if [e][f,g + VA] is invertible, the theorem of this chapter 
implies that [1] is a successor of [d,g + VA]. Since it was shown in 
Chapter 20 that no successor of a module that is not primitive can 
be primitive, the desired conclusion d = 1 follows. O 


For readers familiar with the terminology of group theory: The 
primitive cycles of stable modules form a finite commutative group 
under multiplication; this group is called the class group for the 
given A. 


Exercise for Chapter 23 


1. Prove that the equivalence class of [3, /75] is invertible by 
(a) finding its content, (b) finding its square, and (c) applying the 
comparison algorithm to its product with its successor. 
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Chapter 24 


Signatures of 
Equivalence Classes 


In studying “Euler’s law” (see Chapter 21), it is natural to assume 
that A is not divisible by any square, because C,(n?A) = C,(A) 
except for the few primes p that divide n, which shows that Euler’s 
law for A implies it for n?A. (If p = q mod 4n7A, then p = q mod 
4A, which implies C,(A) = C,(A) and therefore implies C,(n?A) = 
C,(n*A) unless n = 0 mod p, in which case C,(n?.A) = C,(n?A) = 0.) 
In other words, it is natural to assume that A is a product of distinct 
primes. Such an A is called squarefree. 


Proposition 1. Given an odd prime factor A; of a squarefree num- 
ber A and given a module [f,g + VA] for that A, there is a module 
[f’,9’ + VA] in canonical form equivalent to [f,g + VA] in which 
f' #0mod A;. The value of C4,(f') is the same for all such mod- 
ules [f’, 9! + VA]. 


Proof. Assume without loss of generality that [f, 9+ A] is in canon- 
ical form and let [f1, 9: + VA] be its successor. Then f f; = r?—A for 
the r used by the comparison algorithm to determine the successor. 
Suppose A, divides f. Since A, divides A, A, must then divide r?, 
and since A, is prime, it must divide r and therefore A? must divide 
r*; if A, divided f;, then A? would divide A = r? — f f;, which is 
impossible because A is squarefree. In short, if [f,g + VA| fails to 
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have the property that f 4 0 mod Aj, then its successor does have 
that property, which proves the first statement of the proposition. 


If neither f nor f; is divisible by Ai, then C4,(f) = Ca, (fi) 
because ff; = r? — A = r* mod A; therefore C4,(f)Ca,(fi) = 
Ca, (ff1) = Ca,(r? — A) = Ca,(r?) = (Cy(r))* = 1. (Because f f; 
is not divisible by A,, but A is divisible by Ai, r? = ff; +A is 
not divisible by A;, so C,(r) = +1.) Thus, C4,(f) and C'4,(fi) are 
either both 1 or both —1, so the modules [f;, g; + V Al in the sequence 
of successors of [f,g + VA] all satisfy C4,(f) = Ca,(fi) as long as 
Cay (fi) # 0. 

But if C'4,(fi) = 0 for some i, then C4, (fi-1) = Ca, (fi+1) 4 0, 
as can be seen in the following way. When fi_1f; = r? — A and 
iifax = Paid — A are multiplied, one finds f;-1f? fisa = (ririga. + 
A)* — A(r; +7j41)* by Brahmagupta’s formula. Both r; and r;,1 are 
divisible by A, and, as was seen above, f; is divisible just once by 
A,. Therefore, fj-1 - (4)? ‘fin = (Hata)? =A (Aa) is a 
square mod A, (because the right side is) that is not zero mod A, 
(because the left side is not). Since the same is true of (4), the 
desired conclusion C'g, (fi-1fi+1) = 1 follows. 


Thus, if f #0 mod Aj, then Cy, (fi) = Ca,(f) for all successors 
[fisgi + VA of [f,9 + VA] in which C4,(fi) 4 0. If [f,g + VAI 
is equivalent to [f’, 9’ + VA] and neither f nor f’ is 0 mod A, then 
C4, (f) = Ca,(f’) because, by the Theorem of Chapter 23, both are 
Ca,(f") where [f”, 9" + VA] is a stable successor of [f,g + VA] in 
which f” #0 mod Aj. O 


For example, when A = 105, there are 8 equivalence classes of 
modules. The modules [1, /105], [105, 105], [3, 105], [15, 105], 
[2,1 +105], [4,1 +105], [6,3+ 105], and [10,5 + 105] represent 
the eight classes. For any [f,g + vA] in the first equivalence class, 
C3(f) = Cs(f) = C7(f) = 1 for the three prime factors 3, 5, and 7 
of 105 by Proposition 1, provided f is relatively prime to 105. This 
statement will be abbreviated by saying that the signature of this first 
equivalence class is +++. The second equivalence class contains the 
successor [104, 1 + 105] of [105, 105] so the values of C3(f), Cs(f), 
and C7(f) for any [f,g + VA] in this class for which f is relatively 
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prime to 105 can be determined by determining C3(104) = C3(2) = 
—1, Cs5(104) = C5(4) = 1, and C7(104) = C7(6) = —1. Thus, the 
signature of this class is — + —. In similar ways, the signatures of the 
remaining six classes can be found to be +— —, —-—+, —-+, ++4, 
—+-—, and + — —, respectively. 

These observations go a long way toward establishing the truth of 
Euler’s law in the case A = 105 because they show that if Cy95(p) = 1 
for some prime p, then, because there is a module [p, k+ VAl for some 
k, the quadratic characters of p with respect to the prime factors 3, 
5, and 7 of 105 must be those of one of the 4 signatures found above. 
In particular, Cy95(11) = 1 is impossible because if it were possible, 
there would be a module [11,g + 105] in canonical form and the 
signature of this module would be — + + (because C3(11) = —1, 
Cs(11) = 1, and C7(11) = 1) which is not among the signatures 
that were found. For the same reason, Cio5(p) = 1 is impossible 
whenever p is prime and congruent to 11 mod 105. In the same way, 
Ci95(p) = 1 is impossible for exactly half of the possible congruence 
classes for p mod 105, namely, the classes mod 105 that are relatively 
prime to 105 that contain primes p for which the signs of C3(p), Cs(p), 
and C’7(p) follow one of the patterns — ——, +—+, —++, or ++-. 


In many cases, there is an additional condition that p must satisfy 
in order for C'4(p) = 1 to be possible. For example, when A = 
3 mod 4, there is a restriction on the odd values of f that occur in 
any given cycle: 


Proposition 2. Given a squarefree number A that is 3 mod 4 and 
given a module [f,g+~ A], there is a module [f’, 9’ +A] in canonical 
form equivalent to [f,g-+ Al] in which f' is odd. The value of f’ is 
the same mod 4 in all such modules [f', g' + V Al. 


Proof. The formula ff; = r* — A shows that if f is even, then 
r is odd and ff; = 1— A = 2mod4, so both £ and f; are odd. 
Thus, the successors of any module include modules in which f is 
odd. If both f and jf; are odd, then r must be even and ff; =—A= 
1 mod 4, from which f = f; mod 4 follows. If f; is even in some 
successor, then f;_; and f;,1 are both odd, as is f. and the formula 
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Peas (£)? Sf (TetigatA ye ~A- (Tittet2 2 shows, because the 
number on the left is odd, that just one of the squares on the right is 
odd; since the square of an odd number is 1 mod 4 while the square 
of an even number is 0 mod 4, it follows that fj;-1fj4; =1-—A-0 or 
fi-1fi41 =O0-—A-1 mod 4, so fj_ifi41. = 1 and fi_1 = fi+1 mod 4 in 
either case. Thus, the value of f’ mod 4 is the same in all successors 
[f’,9' + VA] of [f,g + VA] in which f’ is odd and the remaining 
statements of the proposition follow as before. LJ 


For example, when A = 195 = 3-5- 13, there are 8 cycles, 
of which the 8 modules [1, /195], [195,195], [3, 195], [5, 195], 
[13, 195], [15, 195], [39, 195], and [65, 195] are representatives. 
Their signatures, as defined above are +++,—++,+—+,-+-, 
+—~—,———,++-, and ——+-, respectively, as is easily found. (For 
example [3, /195] ~ [10,5 + V195] and C3(10) = 1 shows that the 
first sign of the third signature is +, while the remaining two signs 
come from C5(3) = —1 and Cj3(3) = 1.) Proposition 2 implies that a 
fourth sign can be annexed to the signature of each cycle. As is easily 
checked, in all eight cases the additional sign is determined by the 
condition that the total number of minus signs is always even. Thus, 
the eight signatures are ++++, —++-—,+—+-, -—+-4+, +--4, 
——-—~,++4-—-, and — — ++, respectively. 


Since A is assumed to be squarefree, the even values of A to be 
considered are those that are = 2 or 6 mod 8. In each of these cases, 
a sign that can be annexed to the signature is determined by: 


Proposition 3. Given a squarefree number A that is 2 mod 4 and 
given a module [f, 9+ Al], there is a module [f’, g'-+vA] in canonical 
form equivalent to [f,g+-~ A] in which f’ is odd. When A = 2 mod 8, 
two such values of f’, call them f’ and f”, must satisfy either f’ = 
f” mod 8 or f’ = —f” mod 8. When A= 6 mod 8, they must satisfy 
either f' = f” mod 8 or f' = 3f” mod 8. 


Proof. As before, the key formula is ff; = r? — A. If f is even, 
then r must be even, which implies that ff; = —A = 2 mod 4, so £ 
and f; must be odd, which proves the first statement of the theorem. 
If f and f; are both odd, then r? — A and r are odd, so ff; =1— 
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A mod 8; thus, f; = —f mod 8 when A = 2 mod 8 and f; = 3f mod 8 
when A = 6mod 8. Finally, if f; is even, then fj_1 - (£)? ‘et = 
(tts )2 — A. (“*+1)? is odd, which implies that reregi ts is 
odd, from which f;—1f;,1 = 1 or 1— A mod 8, depending on whether 


Per eeeL is even or odd, and the proposition follows as before. Ol 


For example, when A = 30, the signature of an equivalence class 
of modules can be taken to contain three signs, the first two signs, 
of C3(f) and Cs(f), determined as above and a third sign which 
is + when f = 1 or 3mod8 and minus when f = 5 or 7mod8 
for an odd f. There are four equivalence classes of modules when 
A = 30 represented by, for example, [1, 30], [30, 30], [2, /30], and 
[10, /30]. Their signatures are easily found to be +++, —+—, ——4+, 
and + — —, respectively. 


Definition. For a given squarefree number A, the signature of an 
equivalence class of modules for that A is a sequence of signs, + or 
—, determined in the following way. Let A;, Ag, ..., Am be the odd 
prime factors of A ordered by Ay < Ag <---< Am. (If A = 2, then 
m = 0; otherwise m > 0.) The ith sign of the signature for i < m™ 
is found by finding a module [f,g + VA] in the equivalence class for 
which f £0 mod A; and taking the ith sign to be the sign of C'4,(f) 
for this f. If A=1 mod 4, them signs determined in this way are the 
complete signature. Otherwise, there is one more sign, an (m+ 1)st 
sign, determined by finding a module |f,g + V A] an the equivalence 
class in which f ts odd and determining that last sign according to 
the rules: 


if A= 3 mod 4, the sign 1s + if f = 1 mod 4 and — otherwise, 
if A=2 mod 8, the sign is + af f = +1 mod 4 and — otherwise, 
if A = 6 mod 8, the sign is + if f =1 or 3 mod 8 and — otherwise. 


Notation: Let A ;, Ag, and A3 denote the functions that assign 
+1 to odd numbers that give the last sign of the signatures for A in 
the cases A = 3 mod 4, A = 2 mod 8, and A = 6 mod 8, respectively. 
That is, for an odd number f, »1(f) is 1 if f = 1mod4, —1 if 
f =3 mod 4, while A2(f) is 1 if f = +1 mod 8, —1 if f = +3 mod 8, 
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and A3(f) is 1 if f = 1 or 3 mod 8, —1 if f = 5 or 7 mod 8. (Note 
that A3(f) = Ai(f)A2(f).) 


Exercises for Chapter 24 


1. Verify the characters given for several of the cycles for square- 
free A given in the table of stable modules in the appendix. 

2. Verify several cases of the fact that the signature of a product 
is the product of the signatures of two primitive cycles (where the 
product of the signatures is defined in an obvious way). 
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Chapter 25 


The Main Theorem 


Let A be a given squarefree number. The signature of a given equiva- 
lence class of modules for A is defined in the last chapter as a sequence 
of signs + or —; when m is the number of odd prime factors of A, 
there are m signs when A = 1 mod 4 and m + 1 signs otherwise. To 
find the signature of an equivalence class, it suffices! to find one mod- 
ule |f,g+ V A] in the class in which f is odd and relatively prime to 
A. Then the first m signs of the signature are C4,(f), where A; is the 
ith odd prime factor of A (ordered by A; < A;41), and the last sign, 
in case A # 1 mod 4, is \i(f), Ao(f), or A3(f), when A = 3 mod 4, 
= 2 mod 8, or = 6 mod 8, respectively. (See the definitions of the 
Ai( f) at the end of Chapter 24.) 


It is natural to define the signature relative to A of an odd 
number f that is relatively prime to A to be this same sequence 
of signs—m signs C4,(f) when A = 1 mod 4, and these m signs 
followed by Ai(f), A2(f), or A3(f) when A = 3 mod 4, = 2 mod 8, or 
= 6 mod 8, respectively. 


Main Theorem. Let A be squarefree and let p be an odd prime that 
does not divide A. Then C,(A) is the product of the signs of the 


1The definition in Chapter 24 allows for the use of different f’s for the de- 
termination of different signs in the signature. As will be proved in Chapter 27, 
a single f can be used as above to determine all the signs provided the class is 
primitive. 
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signature of p for this A. In other words, A is a square mod p if and 
only if the signature of p relative to A contains an even number of 
MINUS SIGNS. 


Corollary (Euler’s law). The value of C,(A) depends only on the 
value of p mod 4A. 


Deduction. As was explained at the beginning of Chapter 24, Eu- 
ler’s law for squarefree A implies Euler’s law for all A. Assume, there- 
fore, that A is squarefree. By the theorem, C,(A) depends only on 
the signs in the signature of p relative to A. The ith sign C'4,(p) for 
1=1, 2,...,m depends only on the value of p mod A; and therefore 
depends only on the value of p mod 4A. The (m+ 1)st sign, if there 
is one, depends only on the value of p mod 4 if A = 3 mod 4 and only 
on the value of p mod 8 if A = 2 or 6 mod 8. Since 4 divides 4A in 
the first case and 8 divides 4A in the last two cases, the corollary 
follows. 0 


The Main Theorem will be proved in Chapter 29. 


Exercise for Chapter 25 


Check that for squarefree values of A and for primitive modules, 
the signatures shown in the appendix are precisely those in which 
there are an even number of minuses. (Because C,(A) = 1 if and 
only if A #0 mod p and [p,g + V Al is in canonical form for some g, 
this observation is equivalent to the Main Theorem for the squarefree 
values of A included in the appendix.) 
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Chapter 26 


Modules That Become 
Principal When 
Squared. 


This chapter finds all solutions [f,g + VA] of the problem [f,g + 
V A]? ~ [1] in all cases in which A is prime or A is a product of two 
primes, each congruent to 3 mod 4. The result will be used in the 
following three chapters to prove the law of quadratic reciprocity and 
the Main Theorem. 


Of course, [1]* = [1] is a solution of this problem. Another simple 
solution is [A, VA]? = [A?, AVA, A] = [A][A, VA, 1] = [A] ~ [1]. Any 
module that is equivalent to one of these solutions [1] and [A, VA] 
of the problem is also a solution, because the equivalence class of a 
product depends only on the equivalence classes of the factors. 


As was seen in Chapter 23, it is natural to identify equivalence 
classes of modules with cycles of stable modules. The square of an 
equivalence class then becomes the square of the corresponding cycle 
of stable modules, which is found by choosing a module in the cycle, 
squaring it, and finding the cycle of stable modules equivalent to the 
result. The question then becomes: For which cycles of stable modules 
is the “square” found in this way the principal cycle? 
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Proposition. If A is a prime congruent to 1 mod 4, then the prin- 
cipal cycle is the only cycle whose square is the principal cycle. (In 
this case, therefore, [A, VA] must be in the principal cycle.) If A is a 
prime congruent to 3 mod 4, or if A = pq where p and q are primes 
that are congruent to 3 mod 4, then [1] and [A, VA] are in different 
cycles, and these two cycles are the only ones whose squares are the 
principal cycle. 


Lemma. If [f,g + VA] is a stable module and [fi,91 + VA] is its 
successor, the conjugate of [1,91 + VA] is stable, and the conjugate 
of [f,g + VA] is its successor. 


Proof. Suppose that [f,g+V Al] and [f1, 91+ A] are both in canon- 
ical form, so that their conjugates are [f, g’ + VA] and [f1, 9, + Vv Al, 
respectively, where q’ is the least solution of g’+g = 0 mod f and g} is 
the least solution of g, +91 =0 mod f;. By definition, g, = r mod fy 
where r is the number used by the comparison algorithm to deter- 
mine the successor of [f,g + VA]. Therefore, r + gi = 0 mod f;, so 
r is the number used by the comparison algorithm to determine the 
successor of | f1, 9 + VA] if and only if no number r; satisfies r; <r, 
rj =r mod f, and r? > A. That there is no such r; follows from the 
assumption that [f,g + V A] is stable, because this assumption means 
lr — f|? < A, and therefore implies, in succession, r* + f? < A+2rf, 
Shel? <2rh, feel etl to i <2 tied er? < orf Ayand 
lf: — |? <A; this last inequality shows there is no 7; as above, be- 
cause Tr; <r andr; =r mod f, imply that r; + f; <r and therefore 
imply r? < (r — f,)? < A. 

The inequality |f; — r|? < A then implies that [f1, 9, + vA] is 
stable. 

Finally, because r is the number used by the comparison algo- 
rithm to determine the successor, call it [F, G+ VA], of [f1, 9, + vA], 
Ff, = r*— A holds. Since this number is also ff,, F must be f. 
Finally, G=rmod F then means G=rmodf,soG+g=ri+g= 
0 mod f and G = g’ mod f, as was to be shown. = 


1See Chapter 20 for the definition of the conjugate of a module. 
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Simply put, the lemma states that the conjugate of a cycle is a 
cycle, but conjugation reverses the order in which cycles are traversed. 


Proof of the proposition. If [f,g + VA]? ~ [1], then [f,g + VA] 
is primitive, as follows directly from the proposition of Chapter 23. 
(The equivalence class of | f, +A] times itself is the principal class.) 
Therefore, it suffices to find the cycles of primitive modules whose 
squares are principal. 


If [f, g+V A] is stable and primitive and if [f, g+ VW Al? ~ [1], then 
if.g + VA] ~ [f,9'+ VAlLf.9 + VAP ~ (U9 + VA] ~ Uf 9 + VAI 
when [f,g' + VA] is the conjugate of [f,g + VA]. Therefore, by 
the lemma and by the theorem of Chapter 23, [f,g + vA] and its 
conjugate are in the same cycle, say [f,g’ + VA] = [fi,g; + VAl 
where [f;,9; + vA] is the ith successor of [f,g + VA]. The lemma 
then implies, when i > 1, that [f;-1, 9;-1 + V Al is the conjugate of 
[f1,91 + vA] because both are the stable module whose successor is 
the conjugate of [f,g+ VA]. In the same way, [fi—2, 9:2 + VA] is the 
conjugate of [f2, g2 +A] when i > 2, [f;-3, 9:-3 + VA] the conjugate 
of [3,93 + VA] when i > 3, and so forth. Ifi is even, say i = 27, then 
f5.95 + V A] is its own conjugate. If 7 is odd, say i = 27 + 1, then 
[f;,9;+V Al] is the conjugate of [fj 41, 9;41+V A]. Let a stable module 
if, 9 + VA] be called pivotal of type 1 if it is its own conjugate and 
pivotal of type 2 if it is the conjugate of its successor. Thus, a 
cycle whose square is equivalent to {1] must contain a pivotal module. 
Since the converse is clear, the proposition amounts to a description 
of the primitive cycles that contain pivotal modules, and it can be 
proved by finding all pivotal modules. 


When A is an odd prime, there are just four pivotal modules. 
They can be determined in the following way. 


If [f, g+WV A] is a pivotal module of type 1—that is, [f,g+V A] = 
[f,g’ + VA]—then g + g =0 mod f when [f,g + VA] is in canonical 
form. Because A = g* mod f, the condition 2g = 0 mod f implies 
4A = (2g)? = Omod f, so f must divide 4A. Since A is an odd 
prime, f must therefore have one of the values 1, 2, 4, A, 2A, or 4A. 
Since [f,g + VA] is stable, f < A, so f can only be 1, 2, 4, or A. 
The value f = 4 is impossible because 2g = 0 mod 4 would imply g 
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was even, which is contrary to the assumption that A is odd because 
the other assumptions imply A = g* mod 4. Each of the remaining 
values 1, 2, and A indeed gives rise to a pivotal module of type 1, 
namely, [1, VA], [2,1 + VA], and [A, vA], respectively. 

The pivotal modules of type 2 when A is an odd prime are even 
easier to find. If [f, q+ VA] is in canonical form and pivotal of type 2, 
then f = f1, which implies that f* = r* — A, where r is the number 
used by the comparison algorithm to find the successor [f1, 91 + VA] 
of [f, 91: +V A]. Then A = r?—f? = (r+f)(r—f), so the existence of a 
pivotal module of type 2 implies a factorization of A into two factors. 
Since A is prime, it follows that r — aA = 1 andr+f =A, which is 
to say that r = att and f = f; = _ Because gi =r mod fj, one 
then finds g, = 1 and g =f — n=. 1 . In fact, [ 4s 4y3 a 34 V/A] 
is easily seen to be pivotal of type 2. (The value of r used to go 
from it to its successor is Ayt because’ aval ty 453 = 0 mod Ast and 
(4+)? > A but the square of Ati _ 41 = 1 is not greater than A.) 
Thus, [}, 43 +VA A] is the anique pivotal module of type 2 in this 
case. 


A cycle which contains a pivotal module must in fact contain two 
of them, unless it consists of only one module, as can be seen in the 
following way. Let the modules in a cycle be numbered starting with 
a pivotal module [fo,go + VAI. If [fo,g0 + VA] is of type 1, then 
lfis gi + V Aj is the conjugate of (fi—i, 91-4 + V Al for each i, where | 
is the length of the cycle. If / is even, say | = 27, then [f;, 9; + VAI 
is pivotal of type 1; if 1 is odd, say / = 27 + 1, then [f;,9; + V A] is 
pivotal of type 2. Thus, the cycle contains another pivotal module 
unless | = 1, in which case | fo, go + V Al is pivotal of type 2 as well as 
type 1. If [fo, go + VA] is pivotal of type 2, then [f;, 9; + VA] is the 
conjugate of | fi_i41, g1-i41 + V Al for each 7, from which it follows in 
a similar way that when | = 27 + 1 is odd, [f;,9; + VA] is pivotal 
of type 1 and when | = 27 is even, [f;,9; + vA] is pivotal of type 
2. ‘Thus, there is a second pivotal module in the cycle except when 
! = 1, in which case the sole module in the cycle is pivotal of both 


types. 
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The only cases in which the module [45+, 452 + vA] pivotal of 
type 2 is also pivotal of type 1 are those in which Ast = ] or 2, which 


is to say the cases A = 3 or 5. 


In summary, when A is an odd prime, only two cycles of stable 
modules contain pivotal modules, namely, the cycles of the modules 
(1, VA], [2,1 + VA], [A, VA], and (43, 1+ VA]. These modules lie 
in exactly two cycles; except when A = 3 or 5, there are four pivotal 
modules, two in each cycle, but in the exceptional cases, there are 
only three pivotal modules and one of them is a cycle unto itself. 


When A is prime and A = 1 mod 4, the module [2,1 + VA] is 
not primitive, so the square of its cycle cannot be the principal cycle. 
Therefore, for prime values of A that are 1 mod 4 the principal cycle 
is the only one whose square is the principal cycle, as was to be shown. 


When A is prime and A = 3 mod 4, all four of the pivotal modules 
are primitive, as is easily checked. Therefore, two cycles solve the 
problem. Moreover, the signature of [A, VA] is ——, as is easily seen. 
(The second sign is — directly from its definition; the first sign is — 
because the successor of [A, VA] is [A—1, 1+ VA] and (A—1)(4-)//2 = 
(—1)(4-))/2 = —1 mod A when A = 3 mod 4.) Therefore, the cycle 
of [A, V Al is not the principal cycle and the proposition follows in 
this case. 


Consider finally the case in which A = pq, for distinct primes p 
and q that are both 3 mod 4. Again, the pivotal modules of type 1 
must have the form [f,g +A] where f divides 4A. Again, f is at 
most A and cannot be divisible by 4. Thus, f has one of the values 
1, 2, p, 2p, q, 2g, pg. It is easily checked that the modules [1, V Aj, 
[2,1 + VA], [p, VA], [20,2 + VAI, (a, VAI, [24,¢-+ VA], and [pa, VA) 
are all pivotal of type 1 except that [2p, p + V Al is not stable when 
p is the larger of the two factors of A, because the r that determines 
the successor of [2p, p+ VA] is p, and |p —2p|? = p? > pq = A. Thus, 
there are exactly 6 pivotal modules of type 1 in this case. 


As for the pivotal modules of type 2, again (44, 4-3 + VA| is 
such a module. A second one corresponds to the factorization r—f = 
q,r+f=pofA=r? — f2, where p is the larger of the two primes. 


Then f = 25% and r = #24, which gives [f,r + VA] = [552,¢+ VA 
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as the successor of a pivotal module of type 2 and therefore gives 
[Pot P=4 —g+ VA] = [252, 22 + VA] as the sole remaining pivotal 
module of type 2 in this case. 


As before, the eight pivotal modules lie in four cycles, each of 
which contains two pivotal modules, except when two of pies coincide 
(which happens just when p = q+ 4 so that the module [*57, q+ VA| 
is [2,1 + VA]) in which case there are still 4 cycles but one of them 
contains only one module. 


In this case (when A = pq, where p > q are both prime and con- 
gruent to 3 mod 4), A is 1 mod 4, so [2,1+ WA] and [45+,1+ VA 
are not primitive, and neither are [2q,q+ VA] or [Pst,q+ V A]. The 
remaining four, [1, VA], [p, VA], [q, VA], and [A, VAl. are all prim- 
itive and they determine two cycles whose squares are the princi- 
pal cycle. One is the principal cycle and the other is the cycle of 
[A, VA], because the signature of [A, VA] is the signature of its suc- 
cessor [A — 1,1+ VA], which is -— because A — 1 is —1 mod p and 
—1 mod gq, neither of which is a square,” which completes the proof 
of the proposition. LJ 


Exercises for Chapter 26 
1. Most modules in the table in the appendix are equivalent to 
pivotal modules. Find at least one that is not. 


2. Find, if possible, modules that have the same signature but 
are not equivalent. 


*The index of —1 for a primitive root g mod p is (p — 1)/2, which is odd, so 
—1 is not a square mod p and, for the same reason, —1 is not a square mod gq. 
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Chapter 27 


The Possible Signatures 
for Certain Values of A 


The proposition of the last chapter implies the following theorem, 
which in turn implies the law of quadratic reciprocity as it is stated 
and proved in Chapter 28. As before, all hypernumbers and modules 
relate to a fixed A, not a square. 


Theorem. I[f A is a prime congruent to 1 mod 4, then all primitive 
cycles of stable modules have signature +. If A is a prime congruent 
to 3mod 4, then half of the primitive cycles of stable modules have 
signature ++ and the other half have signature ——. When A is a 
product A = pq of two primes p and q, both congruent to 3 mod 4, 
half of the primitive cycles of stable modules have signature ++ and 
the other half have signature ——; moreover, [p, ,/pq] and [q, ,/pq] are 
an opposite halves. 


Proof. Let A be a prime congruent to 1 mod 4 and consider the 
squaring function which assigns to each primitive cycle of stable mod- 
ules its square, as in the proposition of the last chapter. If the cy- 
cles of [f,g + VA]? and [F,G + VA]? are the same, then the cycle 
of [f,g' + VAJ[F,G + VA], where [f, 9’ + VA] is the conjugate of 
[f,g +A], has the cycle of [1] as its square (because the square of a 
product is the product of the squares and the product of [f, g’ + vA]? 
and [F,G + vA]? is equivalent to the product of [f,9’ + VA]? and 
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[f,g+~vA]?, which is equivalent to [1]? = [1] by virtue of the assump- 
tion that [f,9 + VA] is primitive). Therefore, by the proposition of 
the last chapter, [f, 9’ + VA|[F,G + VA], having its square equiv- 
alent to [1], must itself be equivalent to [1], which is to say that 
[f,.g + VA] and [F,G + VA] are in the same cycle (multiply both 
sides of [f, 9’ + V A][F,G + VA] ~ [1] by [f,g + VAl]). In short, the 
squaring function on primitive cycles is one-to-one. Since a one-to- 
one function from a finite set to itself must also be onto, it follows 
that every cycle of primitive stable modules when A = 1 mod 4 1s the 
square of some other cycle of primitive stable modules. 


The lemma below states that the signature of a product of two 
modules is the product of the signatures. Therefore, the signature 
of any primitive module is the square of the signature of some other 
primitive module, which means that its signature must be +. 


Next let A be a prime congruent to 3 mod 4. As before, [f,g + 
VA]? ~ [F, G+VA]? implies that the square of [f, 9’ + VA] |F, G+V A] 
is equivalent to [1], which means in this case that [f, 9’ + V A][F,G+ 
vA] is equivalent either to [1] or to [A, VA]. Therefore, either [F, G+ 
VAl lig + VA] or [F,G + VA] ~ [fot V AIA, V Al. Since, as 
was seen in Chapter 26, [1] and [A, VA] are in different cycles, the 
squaring function in this case is therefore a two-to-one function from 
primitive cycles to themselves, and exactly half of the primitive cycles 
are squares of primitive cycles; thus, half of the primitive cycles have 
the signature ++. Since the signature of [A, VA] is —— (because 
\,(A) = —1 and [A — 1,1 + VA] is the successor of [A, VA] and 
C,(A —1) = ~—1), the cycle of [A, VA] times any cycle that is a 
square has signature ——, which accounts for the other half of the 
cycles and shows that they all have signature ——. 


Finally, when A = pq where p and q are primes for which p = gq = 
3 mod 4, the fact that just two cycles have square the principal cycle 
implies in the same way that the squaring function from primitive 
cycles to primitive cycles is two-to-one, so half of the primitive cycles 
are squares and therefore have signature ++. The cycle of [A, VA] 
again has signature —— (both C,(A — 1) and C,(A— 1) are —1), so 
an equal number of cycles have the signature ——, which accounts for 
all of the primitive cycles. Finally, the four primitive pivotal modules 
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[1], [p, /pa], {a,./pq], and |A, VA] are in two different cycles, with 
two of them in each of the two; since [1] and [A, VA] lie in different 


cycles, so must |p, ,/pq| and |q, ,/pq]. 0 


Lemma. /f [f,g + VA] and [F,G + VA] are primitive modules in 
canonical form, then the signature of their product is the product of 
their signatures. 


(Signatures are of course multiplied by multiplying corresponding 
signs using the rule that the product of like signs is + and the product 
of differing signs is —.) 


Proof. If f and F are relatively prime to 4A, then the signatures of 
[f,g + WA] and [F,G + VA] are simply the signatures of f and F, 
respectively, in the obvious sense. If f and F are also relatively prime 
to each other, the signature of the product [f,g + VAJ][F,G + VAl 
is the signature of fF’, because when the Chinese remainder theorem 
is used to find a solution G of G = g mod f and G = G mod F, one 
finds [f,g + VA][F, G+ VA] = [f,G+ VAI[F,G + VA] = [fF f (G+ 
VA), F-(G+WA),(G+VA)?] = [fF,G+V A], because the existence 
of a solution (a,b) of af = bF' +1 makes it possible to annex G + VA 
to the list and then to drop f-(G+WA), F-(G+ WA), and (G+ VA)?. 


Because each individual sign of the signature is multiplicative— 
for each prime p that does not divide fF’, C,(fF) = Cp(f)Cp(F) and 
similarly for Aj, A2, and A3 when fF is odd—these simple observa- 
tions suffice to prove the lemma once it is shown that the following 
construction—which makes it possible to replace [f,g + VA] with an 
equivalent module in which f is relatively prime to 4A and replace 
[F,G+ V Al with an equivalent module in which F is relatively prime 
to both 4A and f—is possible: 


Construction. Given a primitive module and a number N, con- 
struct an equivalent module in whose canonical form |[F,G +A] the 
number F is relatively prime to N. 


Let [f,g+ V Al be the canonical form of the given primitive mod- 
ule, which can be assumed without loss of generality to have e = 1 
because [e][f,g + VA] is equivalent to [f,g + VA]. Let r be the 


146 Higher Arithmetic 


number used by the comparison algorithm to find the successor of 
[f,g + VA]. The construction will be done in two steps; first it will 
be shown that there is a number T' for which (itp 4 call it Q(T), 
is relatively prime to fN, and then it will be shown that the module 
(Q(T),r+Tf + WA], whose canonical form is [Q(T),G + VA] where 
G is the smallest solution of G=r+T7f mod Q(T), is equivalent to 


[f,g + VA]. 


For any given number f, let 


Thus, Q(t) is a polynomial in ¢ with number coefficients; it is to be 
shown that a number T can be found for which Q(T) is relatively 
prime to fN. 


For any given prime p, a number t, can be found for which 
Q(tp) #0 mod p. If the leading coefficient f of Q(t) is not zero mod 
p, then Q(t) = 0 mod p has at most two roots; therefore, if p > 2, 
there is at least one t for which Q(t) # 0 mod p. The case p = 2 
will be treated last. If the leading coefficient is zero mod p but the 
second coefficient 2r is not zero mod p, then Q(t) = 0 mod p has just 
one root, so there are p — 1 solutions t of Q(t) #0 mod p. If both of 
these coefficients f and 2r are zero mod p, then the third coefficient 
iA is nonzero mod p by virtue of the assumption that |[f,g + V A] 
is primitive, in which case t = 0 has the required property. Finally, 
when p = 2, the primitivity of [f, g + VA] implies that at least one of 
f and r—A ig odd; if ri—A is odd, then any even ¢ has the required 


J J 
property and in the remaining case any odd t does. 


Let a number ¢, for which Q(t,) 4 0 mod p be chosen for each 
prime factor p of fN. By the Chinese remainder theorem, there is a 
T that satisfies all of the congruences 7’ = t, mod p simultaneously. 
Then Q(T) = erp (0 mod p for each prime factor p of fN. 
In short, Q(T) is relatively prime to fN. 


Finally, let v = Tf +r for this J and consider the principal 
module [v + VA] = [v? — A,v + VA] = [f -Q(T),v + VA]. Because 
f and Q(T) are relatively prime, the proof given above shows that 
[v+VA] = [f,v+VAl[Q(T),v+ VA]. Since [v+ Vv A] is principal and 
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the canonical forms of the two factors on the right are [f,r + VA] = 
[f,g’ + VA] and [Q(T),G + VA] where g/ and G are the smallest 
solutions of g' + g = 0 mod f and G = v mod Q(T), respectively, it 
follows that [1] ~ [f,g' + VAJ[Q(T),G + VA], and an equivalence 
if,.g+ VA] ~ [Q(T),G + VA] of the required form follows when one 
multiplies by [f,g + vA]. ie 


Exercises for Chapter 27 


1. If A is a prime that is 1 mod 4, then all primitive modules have 
signature +. Find such values of A for which there is more than one 
primitive cycle to find primitive modules that have the same signature 
but are not equivalent. 


2. If A is a prime that is 3 mod 4, then all primitive modules 
have signature either ++ or ——. For such A find primitive modules 
that have the same signature but are not equivalent. 
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Chapter 28 


The Law of Quadratic 
Reciprocity 


The Law of Quadratic Reciprocity. If p and q are distinct odd 
primes, and if either of them is 1 mod 4, then Cp(q) = Cy(p), but af 
both are 3 mod 4, then Cp(q) = —C,(p). 


This law can be deduced from the theorem of Chapter 27 in the 
following way. 


Proof. The case p = q = 3mod 4 follows immediately from the 
theorem because C,(q) is the first sign of the signature of [q, ,/pq| and 
C,(p) is the second sign of the signature of |p, ,/pq| (when p > q), and 
the theorem states that one of these signatures is ++ and the other 
is ——. 

Ifp =q=1 mod 4 and if C,(q) = 1, then there is a module whose 
canonical form is [p,g + ,/q]. The signature of this module, which is 
Cy(p), is + by the theorem. In short, C,(q) = 1 implies C,(p) = 1. 
By symmetry, C,(p) = 1 implies C,(q) = 1, or, what is the same, 
C,(q) = —1 implies C,(p) = —1. Therefore, C,(q) = Cq(p). 

Finally, suppose p = 1 mod 4 and gq = 3mod4. If C,(q) = 1 
there is a module whose canonical form is [p, g + ,/q]. The signature 
of this module is ++ or —— by the theorem. Since i(p) = 1, the 
second sign is +, so the first sign must also be +, which is to say 
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Cy(p) = 1. In short, C,(q) = 1 implies C,(p) = 1. If Cy(p) = 1, 
there is a module whose canonical form is [q, g + ,/p] whose signature 
C,(q) is +. Thus C,(q) = —1 implies C,(p) = —1, and the proof is 
complete. CL] 


The following proposition is often called a “Supplementary Law 
of Quadratic Reciprocity” because it gives the value of C,(2) and 
shows that this value depends only on the value of pmod 8. (The 
other “Supplementary Law of Quadratic Reciprocity” is the formula 
C,(—1) = A1(p) that follows from C,(—1) = (—1)~))/2—Euler’s 
criterion—for odd primes p. Note that neither statement expresses 
any kind of “reciprocity.” ) 


Proposition. For any odd prime p, Cp(2) = A2(p). 


(By definition, A2(n) is 1 for n = +1 mod 8 and —1 for n = 
+3 mod 8. See the end of Chapter 24.) 


Proof. If C,(2) = 1, there is a module whose canonical form is [p, g+ 
V2]. When A = 2, the principal cycle is the only cycle of stable 
modules and its signature is +. Since the signature of [p, g + V2] is 
A2(p), it follows that C,(2) = 1 implies A2(p) = 1. 


It remains to show that C,(2) = —1 implies A2(p) = —1, or, what 
is the same, that A2(p) = 1 implies C,(2) = 1. That is, it is to be 
shown that p = 7 mod 8 and p= 1 mod 8 both imply C,(2) = 1. 

If p = 7 mod 8, the signatures of the pivotal modules [p, ,/p| 


and [et + ,/p| are both —— because A1(p) = —i and Mi (2) —_ 
—1; therefore, the signature of [2,1 + ,/p], the one remaining pivotal 
module other than [1], must be ++, which means in particular that 
Chee. 

Finally, if p = 1 mod 8, then either [8,1 + ,/p] or [8,5 + \/p] is 
primitive (if p = 17, then [8,5 + ,/p] is primitive and for all greater 
primes congruent to 1 mod 8 the difference between pi and pt is 
3, so exactly one of the two is odd). The signature of this primitive 
module is + (because A = 1 mod 4), which is to say that C,(8) = 1; 


thus, C,(2)? = 1, which implies C,(2) = 1, as was to be shown. O 
P p 
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Exercise for Chapter 28 


The law of quadratic reciprocity can be used to evaluate C,(A) 
for large values of p and A. For example, C67(102) = Cg7(2-3-17) = 
Co7(2) - Ce7(3) - Coz(17) = A2(67) - (—C3(67)) - Ci7(67) = Aa(3) - 
(—1) - Ci7(16) = (-1)- (-1)- (41) = 1, so 102 is a square mod 
67. (Or, one could say Cg7(102) = Cg7(35) = Cg7(5) - Ce7(7) = 
C5(67) - (—C7(67)) = Cs5(2) - (—C7(4)) = (-1)- (-1) = 1.) Pose 
problems of this sort for yourself and solve them. (In addition to 
quadratic reciprocity you may want to use C,(x?y) = Cy(y) whenever 
x # 0modp.) Your answers can always be checked using Euler’s 
criterion (Chapter 21). 
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Chapter 29 


Proof of the Main 
Theorem 


The Main Theorem (see Chapter 25) states that if A is squarefree and 
if p is an odd prime that does not divide A, then C,(A) is 1 if and 
only if the signature of p for A contains an even number of minuses. 
In formulas, 


(1) Cy(A) = Ca, (p)Ca,(p)-+-Ca,, (P)A(P); 


where Aj, Ag, ..., Am are the odd prime factors of A and where the 
last factor A(p) is 1 when A = 1 mod 4, Ai(p) when A = 3 mod 4, 
A2(p) when A = 2 mod 8, and A3(p) when A = 6 mod 8. (See the end 
of Chapter 24 for the definitions of \1, A2, and A3.) 


Proof. When A = 2, formula (1) is simply the proposition of the 
last chapter. 


When A is an odd prime, formula (1) follows from quadratic 
reciprocity in the following way. When A = 1 mod 4, formula (1) 
becomes C,(A) = C'4(p), which follows from quadratic reciprocity. 
When A = 3 mod 4, it becomes C,(A) = C'4(p)A:1(p); thus, it states 
Cp(A) = Ca(p) when p = 1 mod 4 and C,(A) = —Ca(p) when p = 
3 mod 4, both of which follow from quadratic reciprocity. 
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For any odd, squarefree A, say A = A, A2---Am where Aj, Ao, 
., Am are distinct odd primes, one therefore has 


Cp(A) = Cp(A1)Cp(A2) - ++ Cp(Am) = Ca, (p) Caz (P) +++ Ca, (P)A1 (2) 
where 7 is the number of the primes Aj, Ag,... , Am that are 3 mod 4. 
Since Ai (p)? = 1, it follows that C,(A) is given by formula (1) where 
A(p) = 1 when 7 is even and A(p) = A1(p) when 7 is odd. Since 
A = 1 mod 4 when 7 is even and A = 3 mod 4 when 7 is odd, this is 
the formula that was to be proved in the case in which A is odd. 


Finally, if A is even, one finds similarly that 
Cp(A) = Cp(A1)Cp(A2) » > Cp(Am)Cp(2) 


is given by (1) when the last factor is C,(2)A1(p)* (when 7 is as before). 
Since this factor is A2(p) when 7 is even and A3(p) when 2 is odd, it is 
the last factor in the statement of the Main Theorem, and the proof 
is complete. ) 


As was shown in Chapter 25, Euler’s law is a corollary of the 
Main Theorem. As was shown in Exercise 3 of Chapter 21, quadratic 
reciprocity—in the form Gauss stated it—is a corollary of Euler’s law. 
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Chapter 30 


The Theory of Binary 
Quadratic Forms 


The modules of hypernumbers that are used to solve A+ B = () 
and prove “Euler’s law” in the preceding chapters provide a different 
approach to one of the classic topics of number theory, the theory of 
binary quadratic forms. 


The theory of binary quadratic forms does not use hypernumbers, 
but it does use integers—not just the numbers 0, 1, 2,... that have 
been used in this book so far but the negative integers —1, —2, —3, 

. as well. In addition, it uses computations with polynomials with 
integer coefficients. (Chapter 14 made limited use of polynomials in 
one indeterminate with number coefficients, but now polynomials in 
several indeterminates with integer coefficients will be needed.) The 
reader will very likely be well acquainted with such computations, 
even though they have not been used so far in the book. 


A form is a homogeneous polynomial—that is, a polynomial in 
which all terms have the same degree. When that degree is 2, the 
form is called a quadratic form. Finally, when a quadratic form 
involves just two indeterminates, it is called a binary quadratic 
form. Since only binary quadratic forms will be considered in this 
chapter, they will simply be called forms. 
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In short, a form is a polynomial Ax? + Bry + Cy? in which A, 
B, and C are integers and x and y are indeterminates. It will be 
convenient to impose a few further conditions on the forms that are 
to be considered. First, the coefficient of the first term will be assumed 
to be positive. (This condition takes advantage of the fact that the 
properties of Ar? + Bry + Cy? determine the properties of —Ax? — 
Bry — Cy’, so the sign can be chosen to make A > 0. For a reason 
that is about to be explained, the case A = 0 can be ignored.) Second, 
it will be assumed that the coefficient of the term that contains both 
indeterminates is even. (Again, the properties of Av? + Bry + Cy? 
determine the properties of 2Az?+2Bzry+2Cy’, so there is no loss of 
generality in assuming that the middle coefficient is an even integer. 
This choice agrees with Gauss’s notation—he wrote forms as ax? + 
2bry + cy*—and, as will be seen, it meshes well with the notation 
used for modules of hypernumbers in the previous chapters.) Third, 
it will be assumed that the discriminants of the forms considered are 
not squares. Here the discriminant of a form ax? + 2bry + cy’ 
is the integer b? — ac. (The rationale for this assumption is that 
forms whose discriminants are square are decomposable as products 
of two linear factors with rational coefficients and are therefore in 
some sense not truly quadratic forms. Note that the assumption 
b? — ac # O implies a # 0.) Finally, it will be assumed that the 
discriminant is positive, simply because these are the only forms that 
can be treated using the hypernumbers that have been considered in 
the previous chapters. (As will be seen in the exercises, hypernumbers 
that involve VA for negative A can be treated in exactly the same way 
as those for positive A, and the problem of determining whether two 
modules of such hypernumbers are equivalent—as well as the solution 
of AL|+ B = (1—is in fact easter when A < 0. Once these facts are 
established, the theory of forms with negative discriminants proceeds 
in the same way as the theory for positive discriminants. ) 


1 Characteristically, Gauss did not exclude square discriminants; instead he 
dealt with this case separately. He called b? — ac the determinant instead of the 
discriminant of the form, a rare case in which Gauss’s terminology has not been 
adopted by later generations. If b? — ac = k* for some integer k, the formula 
a(ax? + 2bry + cy?) = (ax + by)? — k?y? = (ax + by + ky)(ax + by — ky) shows 
that ax? + 2bry + cy? has the decomposition (az + by + ky)(ax + by — ky)/a. 
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Gauss defined the concept of equivalence of forms in the follow- 
ing way. Substitution of 


(1) u=qr+ry 
v= sx-+ty 


where q, Tr, s, and t are integers, in a form au? + 2Guv + yv*, where 
a, 3, and ¥ are integers, gives a form az” + 2bry + cy” in which a, b, 
and c are integers. Specifically, the values of a, b, and c are given by 
the matrix formula 


a) fe cl=[F alle SIL @]: 


The matrix of coefficients i; is invertible, with an inverse that 
s 


has integer entries, if and only if its determinant gt—rs is +1. When 
this is the case, its inverse transforms az? + 2bry + cy” back to 
au? + 23uv + yv*. Prior to Gauss, two forms were considered to 
be “the same” if such an invertible way of transforming one of them 
into the other was possible. Gauss was the first to realize that this 
seemingly natural definition of the equivalence of two forms led to 
confusions that were avoided if one required that two forms be con- 
sidered equivalent only if they could be transformed into one another 
by a transformation (1) in which the determinant gt—rs of the matrix 
of coefficients was 1. 


From the point of view of forms Gauss’s definition of equivalence 
is undeniably artificial—it depends on the order of the variables be- 
cause it requires distinguishing the change of variables x = u, y = v 
from the change of variables c = v, y = u—but from the point of 
view of modules of hypernumbers the theorem below shows that the 
condition gt — rs = 1 is entirely natural. 


Problem. Given two forms, determine whether they are equivalent 
and, tf so, find all possible transformations of one into the other by 
matrices with determinant 1. 


Since the determinant of a product is the product of the determi- 
nants, equation (2) shows that equivalent forms must have the same 
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discriminant b* — ac = 8? — avy (because the determinant on the right 
is ac—b? and the determinant on the left is ay — 82). Thus, the prob- 
lem is to determine whether two forms with the same discriminant 
are equivalent. 


Theorem. Let ax?+2bry+cy” and au* +2Guv+-yu" be given forms 
with the same discriminant, say A = b* — ac = B* — ay. They are 
equivalent if and only if the modules of hypernumbers? [a, b+ VA] and 
[a, G+ VA] are equivalent. 


Since the method of Chapter 23 enables one to determine whether 
two modules are equivalent, this theorem solves the problem of deter- 
mining whether two given forms are equivalent. Moreover, when the 
forms are equivalent, the method of the proof gives an algorithm for 
finding all changes of variables (1) with determinant 1 that transform 
one into the other, or, more precisely, reduces the problem of finding 
all such changes of variables to the problem of finding all hypernum- 
bers Y + XVA which satisfy [Y + X V'A][a, b+ vA] = [a]la, 6 + VA]; 
this problem is solved in Chapter 23 in the special case in which 
la, 3 + VA] is stable, and the general case follows easily from this 
case. 


Proof. Assume first that [a,b-+ vA] and [a, 3+ VA] are equivalent. 
As was shown in Chapter 23, there is then an equivalence of the 
particular form [Y +X Vv A]la, b+ VA] = [a]la, 8+ VA], where X and 
Y are numbers for which Y? > AX?. Given such a hypernumber 
Y + XWVA, the matrix defined by the formula 

i: Mea -2s A VS et Ls 
" fe }a[ ee 
has integer entries, has determinant 1, and satisfies equation (2), as 
can be verified in the following way. 


2When b is negative, b + V/b* — ac is not a hypernumber. This problem can 
be overcome either by allowing hypernumbers to have negative coefficients or by 
replacing ax? + 2bry + cy? with an equivalent form in which a is unchanged and 
b is positive, which is easy to do—see Exercise 1. Since the module [a,b + VA 
depends only on the value of b mod a, the meaning of [a,b + VA] for negative b 
is Clear. 
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To say that a(Y + XVA) is 0 mod [aj[a, G + VA] is to say that 
aX =0modaandaY = BaX mod aa (by the proposition of Chapter 
18), which is simply to say Y = GX mod aq; in short, q in formula 
(3) is an integer. To say that (Y + XVA)(b+ VA) = YD+ XA+4 
(Y + Xb)VA is 0 mod [a][a, 3+ VA] is to say that Y + Xb = 0 mod a 
and Yb+ XA = B(Y + Xb) mod aa, or, in short, that t and r are 
integers. Not only is s an integer, it is a number. Since qt — rs = 


1 ((Y —BX)(Y +bX)—X(Vb+AX — BY —BbX)) = L(v?—AX?), 
the statement that the determinant of , ; is 1 is the statement 


that Y? — AX? = aa, which follows from the fact that the norm? of 
[Y + XVA][a,b + VA] = [a][a, 6 + VA] is [((Y? — AX? )al[a, 20, c, b + 
VA] = [aa] [a, 26,7, 8 + VA]. 

Finally, the needed equation (2) follows from noting that the 
substitution (1) carries a(au+ (G+ VA)v) to aa(gz + ry) +aB(sx+ 
ty) + a(sx + ty)VA = a(Y — BX)x + (Yb+ AX — BY — BbX)y + 
aBXx+B(Y +bX)y+ (aXx+(Y +bX)y)VA = Y(axt+by+yvA) + 
X(—aBx + Ay — Boy + aBx + Boy + axVA + byVA) = Y (ax + by + 
yVA) + X(Ay + axVA + byvVA) = (Y + XVA)(ax + by + yVA). 
(This fact—that substitution of (1) in a(au + (8+ VA)v) gives this 
result—is the source of formula (3).) Therefore, the same substitution 
in a(au + (8 — V'A)v) carries it to (Y — XV A)(ax + by — yV'A), so it 
also carries a”((au + Bv)® — Av”) to (Y? — AX*)((ax + by)* — Ay”); 
division by a*a = a(Y*— AX“) then gives the required identity au* + 
2Buv + yu" = ax? + 2bry + cy”. 

Conversely, suppose [a,b + VA] and [a, 3 + VA] are given and 
suppose a 2 x 2 matrix of integers : : with determinant 1 is 


given for which (2) holds (where, of course, c and y are defined by 
b? — ac = A and (7% — ay = A, respectively). The formulas X = s 
and Y = at — bs determine integer values of X and Y for which 


[Y + XV Alla, b + VA] = [a][a, 8 + VA] in the following way. 


3See Chapter 20 for the definition of the norm of a module. 
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Equation (2) implies, because the determinant of the matrix of 
coefficients is 1, that 


t —-—sjja b CSP) be 2 
[6 elles e]= le a} 

which implies, when the entries of the first row in the product on 
the left are computed, that a = at* — 2bst + cs? and @ = —art + 
bgt + brs — cqs. On the other hand, [Y + X VAlla,b + VA] = [at — 
bs + sVAlla,b + VA] = [a]at — bs + sVA, abi-b" s+ As 4+ tabstbs . 
VA] = [al][at — bs + sVA, bt — cs + tVA]. Let A = at —bs+sVA 
and B = bt —cs+tvA so that [Y + XVAlla,b + VA] = [a][A, B). 
Simple computation gives tA — sB = at? — bst — bst + cs? = a and 
—rA + qB = —art + brs + bgt — cqs + (—rs + qt)VA = B+ VA, so 
(A, B] = (A, B, a, 8+ VA]. Since i : is the inverse of fl Bt 
the equations tA — sB = a and -rA+qB = B+ VA imply A = 
qa+s(8+ VA) and B = ra +t(G+ VA), which means that A and 
B can be dropped to find [A, B) = [a, 8 + vA], as was to be shown. 


If X and Y are both positive, or if X = 0, this equation [Y + 
XVAlfa,b + VA] = [al[a, 6 + VA] proves that [a,b + VA] ~ [a, 6+ 
VAd. If both X and Y are negative, the equivalent equation [-Y — 
XVAl\[a, 9+ A] = [a][a, 6+ Al] yields the same conclusion. Finally, 
if X and Y have opposite signs, then multiplication of both sides by 
[Y — X VA] gives [Y? — AX?][a,b+ VA] = [al [Y — XV A][a, B+ VA]; 
since Y* — AX? = aa (take norms on both sides), this equation 
implies [a]fa,b + VA] = [Y — XV Alla, 8+ VA]. Since —X and Y 
have the same sign, the desired conclusion [a,b + VA] ~ [a, 3+ VA] 
follows from the cases already proved when the roles of [a,b + V Al 
and [a, 3 + VA] are reversed. D 


Exercises for Chapter 30 
1. Show that every form az” + 2bry + cy” in which a is positive 
is equivalent to one in which a is unchanged and 0 is positive. 


2. Gauss’s first example [G, Art. 158] of a pair of equivalent 
forms is 227 — 8ry + 3y? and —13u? — 12uv — 2v2, for which he gives 
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the explicit equivalence u = 22 — y, v = —3x + 2y. The method of 
this chapter does not apply directly to this example because —13u? — 
12uv—2v? does not correspond to a module. The form 2x? —82ry+3y" 
corresponds to (2, —4 + V/10| = [2, 10], as does the form 2x? — 5y?, 
so these two forms are equivalent. The substitution X = y, Y = —2z 


1 
given by the matrix | . 1 7 with determinant 1 shows that —5.X?+ 


2Y* and 2x7 —5y? are equivalent. Therefore, Gauss’s equivalence can 
be found by using the method of the chapter to find an equivalence of 
5X*—2Y? and 13u?+12uv+2v?. Carry out the explicit construction 
of an equivalence these steps indicate. (There is no reason to expect, 
a priori, that the equivalence found in this way will be the one Gauss 
gives. ) 

3. For what primes p is the form x? — py? equivalent in Gauss’s 
sense to the form —u? + pu2? 


Exercises on Hypernumbers with Negative A 


In order to deal with hypernumbers with negative A, it makes 
sense to start with integers instead of numbers in the sense of Chapter 
1. Such hypernumbers will be written y + 2\/—A, where z and y are 
integers and —A is a negative integer, and to make the distinction 
clear, they will be called hyperintegers. The following exercises 
show that the theory of modules of hyperintegers can be developed in 
ways that are parallel to the methods used in the previous chapters. 


Hyperintegers can be added and multiplied in the obvious ways. 
Moreover, they can be subtracted, so that m = n mod |[aq, ao, ... , 
a,| can be defined either in the way it is defined for hypernumbers 
in Chapter 17 or defined more simply as meaning that m—n = 


T1Q9 +7T29a2 +---+7rpax where 71, T2,..., Te are hyperintegers. As 
in Chapter 17, [a3, a2, ..., ae] = [bi, be, ..., bj] means that two 
hyperintegers are congruent mod |aj, a2, ... , ax] if and only if they 
are congruent mod [bj, be, ... , bi]. 

4. Prove that any module [aj, a2, ..., ax] that is not equal to 


[0] (that is, the corresponding congruence relation is not equality) is 
equal to one and only one module of the form [e]|f, g + /—A], where 
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e and f are positive integers, 0 < g < f, and g? = —A mod f. Such 
a module of hyperintegers will be said to be in canonical form. 

5. Let a module of hyperintegers be called principal if it can 
be written in the form [y + x/—A] (so there is no condition on the 
sizes or signs of x and y), and let two modules be called equivalent 
if they can be made equal by multiplying them by principal modules. 
State and prove an analog of the comparison algorithm for modules 
of hyperintegers. 


6. Prove that if p is a prime and p = 1 mod 4, then [p, g+-/—1] isa 
module in canonical form for some g. Show that repeated application 
of the comparison algorithm to [p,g + /—1] reaches the module [1] 
(after which it merely repeats [1] endlessly) and that the formula of 
the theorem of Chapter 19 then gives a representation of p as a sum 
of two squares. This is the classic fact of number theory, first proved 
by Euler, that a prime that is 1 mod 4 can be written as a sum of two 
squares. 


7. Use a method like the one of the previous exercise to prove 
that if p is prime and p = 1 or 3 mod 8, then p can be written as a 
square plus twice a square. 

8. Similarly, if p is 1 mod 3, then p= LJ + 3U. 

9. By Buler’s law, the value of C,(5) depends only on the value 
of p mod 20. One easily finds C,(5) = 1 if and only if p = 1, 3, 7, or 
9 mod 20. In this case it is not always true, however, that p = LJ+5U1. 
Try several cases and discover what is true. (Hint: The class group 
has two elements. ) 
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Composition of Binary 
Quadratic Forms 


The theorem of Chapter 30 shows that Gauss’s partition of forms into 
equivalence classes coincides with the partition of modules of hyper- 
numbers into their equivalence classes. But between these parallel 
theories—the “module” theory and the “form” theory—the module 
theory has a distinct advantage: Modules can be multiplied but forms 
cannot. 


Disquisitiones Arithmeticae develops the theory strictly in terms 
of forms, which means that this operation—so easily described in 
terms of modules—must be described as an operation with forms. 
This is the role of composition of forms in Gauss’s theory. 


Since the “module” point of view has been used in the earlier 
chapters to give complete derivations of the solution of AJ + B =U, 
of “Euler’s law,” and of the law of quadratic reciprocity, it is not 
necessary here, as it was for Gauss, to give a full theory of composition 
of forms in connection with these derivations; a brief explanation of 
an algorithm for composing forms will suffice. 


When Brahmagupta’s formula is stated 


if X =zv+yuand Y = y+ Arzu, 
then Y? — AX* = (y* — Ax*)(v* — Au”) 
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(here A is to be thought of as an integer—preferably a positive integer 
not a square—but in fact the formula is true when A, as well as 2, y, 
u, and v, is regarded as an indeterminate), it is a special case of the 
composition of forms. 


More generally, a composition of two forms ax? +2bry+cy” and 
au? +2Buv+-yv?2 is a way of defining polynomials X and Y ina, y, u, 
and v with the property that (ax? +2bry+cy?)(au?+2Buv+-yv") can 
be expressed as a form AX? +2BXY+CY? in X and Y. Here a, b, 
c, a, 2, y, A, B, and C are integers, x, y, u, and v are indeterminates, 
and X and Y are polynomials in the indeterminates with integer 
coefficients. General considerations dictate that X and Y must be 
bilinear in (x, y) and (u,v), which is to say that 


X = potut pi ry + poyu + p3yv 
Y =qoru+qzv + qoyut q3yv 


where the p’s and q’s are integers. A composition of ax? + 2bry + cy? 
and au? + 23uv + yu? consists of polynomials X and Y of this form 
and integers A, B, and C, for which the polynomial identity 


(1) AX*+2BXY 4+ CY? = (ax? + 2bry + y*) (au? + 2Buv + yv") 


holds.? 


Gauss proved (under very mild assumptions of nondegeneracy) 
that the existence of such a formula implies that the ratio of the 
discriminants b* — ac and B* — avy of the two given forms must be a 
ratio of squares, which is to say that there must be nonzero numbers 
s and o for which s?(b* — ac) = 07(G? — ay). Conversely, when this 
condition is met, one can explicitly construct a composition formula 
(1) in the following way. 


First, a few simplifying assumptions. Since a composition formula 


for ax* + 2bry + cy? and au* + 2Buv + yv? implies one for —ax? — 


‘Gauss also stipulates that the six 2 x 2 minors of the 2 x 4 matrix of p’s 
and q’s must be relatively prime and the first two of them must be positive. 
The method explained below always yields formulas that meet these technical 
conditions, which are needed to avoid certain degenerate cases and to make the 
operation of composition consistent with the stronger meaning of equivalence that 
Gauss had introduced. 
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2bry — cy? and au? +2Guv+-yv? (use the same X and Y and simply 
reverse the signs of A, B, and C), there is no loss of generality in 
assuming that a > 0 and a > 0. As before, it will be assumed 
that the discriminants are not squares (even though Gauss considered 
that case as well), so, in particular, neither a nor a is zero. Since a 
composition formula for ax? +2bry+cy? and au?+2Guv+-yv? follows 
easily from a composition formula for a(x-+ny)?+2b(a@+ny)y+cy? = 
ax? + 2(b+na)ry + (c+ 2bn + an”)y? and au? + 2Guv + yv2, one 
can also assume without loss of generality that b (and even c) is 
positive. Finally, it will be assumed that the common value A of 
s?(b? — ac) = o7(8? — ay) is positive so that the theory of modules 
of hypernumbers developed in the earlier chapters applies. (The case 
A <0 requires only very minor adjustments. ) 


Given ax? + 2bry + cy? and au? + 2Guv + yu? satisfying these 
conditions, compute the product of modules 


(2) Isa, sb + V Alloa, o8 + VA] = [E\[F,G+ VA] 
where the right side is in canonical form. 


Theorem. Under these conditions, the formula 
(3) (sax + sby + yv'A)(cau+oBu+uvV A) = E(FX+GY+YVA) 


determines polynomials X and Y ina, y, u, and v with the property 
that (ax* + 2bry + cy”) (au? + 2Guv +7v7) can be expressed as a form 
in X and Y. In fact, explicit formulas for integers A, B, and C will 
be given that satisfy (1). 


Proof. The definitions of F, F, and G in (2) imply that sa- oa, 
sa(o3+WA), ca(sb+v A), and (sb+VA)(a8+V A) are all divisible by 
[E][F, G+Al]. In other words, sa, ca, and sb+o8 are all divisible by 
FE, and the congruences sa-oa = 0 mod EF, sa-of = Gsa mod EF, 
oa:+sb = Goa mod EF, and sb-of8+ A = G(sb+ of) mod EF all 
hold. 


When one equates the coefficients of V/A on the two sides of (3), 
one finds that Y must satisfy 


(sax + sby)u + (cau+oPv)y = EY, 
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which shows that 


sa oxey sb+oa 
Yaa cuts yut Bo 


yv, 


a formula which determines Y as a polynomial in x, y, u, and v with 
integer coefficients. 


The terms of (3) without VA give 
(sax + sby)(cau + aBv) + Ayu = EFX + EGY. 


Subtract EGY = G(sa-xv+oa-yu+t(sb+of)yv) from both sides 
and divide by EF to find 


sa-oa sa(oB — G) 
EF EF 
ca(sb — G) sb-o8 + A—G(sb+ a8) _ 
cies sim ok amas 7 semana oda 


which expresses X as a polynomial in zx, y, u, and v with integer 
coefficients. 


The polynomials X and Y defined in this way also satisfy (sax + 
sby — yV A)(cau + ofv — vVA) = E(FX +GY — YVA) and when 
this equation is multiplied by (3), the result is 


((sax+ sby)* — Ay*) ((caut+oBv)?—Av*) = E? ((FX+GY)?—AY’*). 


Since A = s*(b? — ac) = o7(6? — ay), division of this equation by 


s*a*aq gives 


(ax* + 2bry + cy”)(au? + 2Buv + yv?) 
_ BE? F2X? 4 28? FGXY + E?(G? — AY? 
7 s*a7aa 


which is a composition formula because the three coefficients in the 
numerator on the right are divisible by the denominator so the right 
side has the form AX’ + 2BXY + CY%’, as can be proved in the 
following way. 


The norm of equation (2) is 


(4) [sa-cal[sm, b+ VAl[on, 08 + VA] = [E?FI[M, G + VA], 
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where m, 4, and M are defined by [m] = [sa, 2sb, sc], [u] = [oa, 208,04), 
2 
and [M] = [F, 2G, I eAll. The norm of (4), in turn, is 


(5) 
[sa-ca]?[sm-op][sm, sb+V Allon, oB+V A] = (E2F]?(M][M, G+v A] 


because 2b = 0 mod m and b? = Amoda-c, which implies b? = 
A mod m’, and similarly for , and M. When (4) is used to put the 
left side of (5) in canonical form, one finds 


[sa -cal[sm- op|[E?F][M,G + VA] = [E?F)?(M][M,G + vA] 


which amounts simply to the statement that sa-ca:sm:-ou = E?FM. 
In view of the definition of M, the desired conclusion that s?a0*aa 


divides E? F?, 2E*FG, and E?(G? — A) follows. O 


One composition formula for axz?+2bry+cy? and au?+2Buv+yv? 
implies infinitely many others, because the substitution 


U=qX +ry 
V=sxX4+tY 


where q, r, s, and ¢ are integers satisfying qt — rs = 1 gives another 
composition formula when X = tU —rV and Y = —sU + qV are 
substituted in the known composition formula. Gauss proved, again 
under very mild nondegeneracy assumptions, that one composition 
formula implies all others in this way. Therefore, the above construc- 
tion determines all composition formulas for ax? + 2bxry + cy? and 
au? + 23uv + yv2. In short, any two forms AX? + 2BXY + CY? 
that compose ax? + 2bry + cy? and au? + 2Buv + yu? are equivalent. 
Therefore, all compositions of two given forms can be found once one 
has been found by the construction above. 


The proof of this key theorem is only the beginning of the prob- 
lems associated with doing the entire theory in terms of forms. A 
much greater obstacle is the proof that composition is associative 
in the appropriate sense. But if one chooses to regard composi- 
tions of forms as a cumbersome way to accomplish what is accom- 
plished more easily and naturally using computations with modules 
of hypernumbers—for which the associativity of multiplication is self- 
evident—one can ignore these difficulties. 
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Exercises for Chapter 31 


1. Find a general formula for composing x1? — Ay? and au? + 
2Buv + yu? when 6? — ay = A. 

2. Find a formula for the composition of 32? + 2ry + 47y? and 
9u*+14uv+21v?. (See [G, Art. 243]. For these forms b? —~ac = —140, 
so computations with hypernumbers y + x./—140 are needed. It is 
easy to guess what to do, and the result is an explicit formula that 
can be verified without reference to hypernumbers. ) 


3. Almost all treatments of the composition of forms since Gauss’s 
original treatment have ignored the composition of forms and have 
merely composed equivalence classes of forms. For Gauss, who had 
done the hard work of defining the composition of forms in full, the 
definition of the composite of two equivalence classes followed simply 
from: 


Theorem. The equivalence class of the composite of two given forms 
depends only on the equivalence classes of the given forms. 


Otherwise stated: 


Theorem. [f there is a composition formula in which AX?4+2BXY+ 
CY? is a composite of ax* + 2bxy + cy* and au* + 2Guv + yv* and 
another in which A,X? + 2B, XY, + C,Y? is a composite of a,x? + 
2b, 21y1 +cy? and au?+2Buvt+ yu" and if ax?+2bry+cy? is equivalent 
to a,x? + 2b)21y; + c1y?, then the form AX? + 2BXY + CY? is 
equivalent to A,X? + 2B,;XY4+C,Y%. 


Prove this theorem. (You will need to make use of the theorem 
of Gauss cited in the text to the effect that any two forms AX? + 
2BXY + CY? that compose the same forms ax? + 2bry + cy? and 
au? + 23uv + yu" are equivalent.) 
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Appendix 


Cycles of Stable 
Modules 


The tables on the following pages describe the stable modules for all 
values of A, except squares, up to A = 111. The first line gives the 
value of A, followed by the number of stable modules for that A that 
correspond to each number k for which k* < A (see Chapter 22). 
The following line or lines give one module from each cycle of stable 
modules and the number of modules in the cycle. (A programmable 
calculator can easily generate all modules in a cycle when a single 
module is given.) For squarefree values of A, the signature of each 
cycle is also given. (See Chapter 24.) 


For example, when A = 33, there are 24 stable modules, parti- 
tioned into 4 cycles. There are 15 pairs (k, f), namely, (0,1), (0,3), 
(0,11), (0, 33), (1,2), (1,4), (1,8), (1, 16), (1,32), (2, 29), (8, 6), (8,8), 
(3, 12), (3, 24), (4,17), 6 of which satisfy either k = 0 or 2k = f. The 
principal cycle, the cycle of [1], contains 2 modules; there is one other 
primitive cycle, the cycle of [33, 33], containing 12 modules, and 
two cycles that are not primitive, one containing 4 modules and the 
other containing 6 modules. Since 33 is squarefree, the signatures of 
all four cycles are given. 
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A=? 0:0) 

[1, 2] + (2) 
A=3.  0(2),1(1) 

[1, V3] ++ (1), [2,1+ v3] —— (2) 
A=5. 0 (2), 1 (3) 

(1, /5] + (4), [2,1 + V5]* — (1) 
A=6.  0(4), 1 (2) 

[1, V6] ++ (2), [2, V6] —— (4) 
A=7.  0(2),1(5) 

(1, V7] ++ (2), (7, V7] —— (5) 
A=8. 0 (4), 1 (2), 2 (1) 

[1, V8] (1), [8, v8] (4), [2, V8]* (2) 
A=10. 0 (4), 1 (4), 2 (2) 

(1, Y10] ++ (6), [2, 10] —— (4) 
A=11. 0 (2), 1 (5), 2 (2) 

(1, V11] ++ (3), (11, V11] —— (6) 
A=12. 0 (6), 1 (2), 2 (3) 

[1, V12] (2), [3, W712] (6), [2, ¥12]* (1), [6, V12]* (2) 
A=13. 0 (2), 1 (9), 2 (2) 

[1, V13] + (10), [2,1 + V11]* — (3) 
A=14. 0 (4), 1 (2), 2 (4) 

(1, 14] ++ (2), [14, V14] —— (8) 
A=15. 0 (4), 1 (5), 2 (2), 3 (1) 


[1, V15] aaa (1), [15, V15] ee a (6), [2,1 + V15] ces (2), 
[3, V15] + — — (3) 


A=17. 0 (2), 1(7), 2 (2), 3 (2) 

[1, V17] + (8), [2,1+ V17]* — (5) 
A=18. 0 (6), 1 (2), 2 (4), 3 (2) 

[1, V18] (4), [18, V18} (8), (3, v18]* (2) 
A=19. 0 (2), 1 (9), 2 (4), 3 (2) 

[1, V19] ++ (7), [19, V19] —— (10) 
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A=20. 0 (6), 1 (2), 2 (5), 3 (2) 
[1, 20} (2), [20, v20} (8), [2, V20]* (4), [4,2 + v20]* (1) 
A=21. 0 (4), 1(9), 2 (2), 3 (3) 
[1, V2]] sige (4), (21, V21] —— (10), [2,1 Ba v21]* a (1), 
[6,3 + V21]* +— (3) 
A=22. 0 (4), 1 (6), 2 (6), 3 (2) 
[1, V22| cng (5); [22, 22] a (12) 
A=23. 0 (2), 1 (5), 2 (2), 3 (4) 
(1, V'23] er (2), [23, V'23) = (11) 
A=24. 0 (8), 1 (2), 2 (7), 3 (2), 4 (1) 
[1, v.24] (1), [24, v24] (8), [8, V24] (3), [4,2 + V24] (2), 
[2, 24]* (2), [4, V24]* (4) 
A=26. 0 (4), 1 (4), 2 (4), 3 (2), 4 (2) 
[1, 26] ++ (10), [2, 26] —— (6) 
A=27. 0 (4), 1 (5), 2 (2), 3 (5), 4 (2) 
(1, 27] (5), (27, V27] (10), [3, V27|* (1), [6,3 + V27]* (2) 
A=28. 0 (6), 1 (6), 2 (9), 3 (2), 4 (2) 
[1, v/28] (6), [28, 28] (12), [2, 28]* (2), [14, V28]* (5) 
A=29. 0 (2), 1 (9), 2 (4), 3 (4), 4 (2) 
(1, V'29] te (16), [2,1 sae Vv 29]* > (5) 
A=30. 0 (8), 1 (2), 2 (4), 3 (4), 4 (2) 
[1, V30] + + + (2), [30, V30] — + — (10), [2, V30] — — + (2), 
[10, V30] a (6) 
A=31. 0 (2), 1 (13), 2 (4), 3 (4), 4 (2) 
1, V31] aa (8), (31, V3] a (17) 
A =32. 0 (6), 1 (2), 2 (7), 3 (2), 4 (3) 
[1, 32] (2), [32, V32] (11), [2, V32]* (1), [4, V32]* (2), 
[16, /32]* (4) 
A =33. 0 (4), 1 (9), 2 (2), 3 (7), 4 (2) 


[1, V33] ++ ne [33, 33] —— (12), [2,1 + V33]* —— (4), 
[4,1 + V33]* ++ (6) 


172 Higher Arithmetic 


A=34. 0 (4), 1 (6), 2 (10), 3 (2), 4 (4) 


[1, V34] ea (2), [34, V34] sa (14), [3,1 + 34] a (5), 
[3,2 + V34) os (5) 


A=35. 0 (4), 1 (5), 2 (2), 3 (4), 4 (2), 5 (1) 


[1, V35] +++ (1), [35, V35] + — — (10), [5, ¥35] — — + (5), 
[7, V35] ea ia (2) 


A=37. 0 (2), 1 (15), 2 (4), 3 (6), 4 (2), 5 (2) 


[1, 437] + (12), [7,3 + V37] + (6), [7,4 + V37] + (6), 
[2,1 + V37]* — (7) 


A=38. 0 (4), 1 (2), 2 (4), 3 (2), 4 (4), 5 (2) 
[1, V38] ++ (6), [38, 738] —— (12) 
A =39. 0 (4), 1 (5), 2 (6), 3 (7), 4 i 5 (2) 


[1, V39] + + + (4), [39, V39] — + — (12), [2,1 + V39] — — + (3), 
[6,3 + V39] + — — (7) 


A=40. 0 (8), 1 (6), 2 (11), 3 (2), 4 (5), 5 (2) 


[1, V40] (3), [40, 40] (12), [5, v40] (6), [8, v’40} (3), 
[2, V40]* (6), [10, v'40]* (4) 


A=4l. 0 (2), 1 (13), 2 (2), 3 (6), 4 (2), 5 (2) 
[1, 41] + (16), [2,1 + V41]* + (11) 
A=42. 0 (8), 1 (2), 2 (4), 3 (4), 4 (4), 5 (2) 


[1, V42] 2 a a (2), [42, 42] pt arr (12), [2, V42| he (4), 
[3, V42] + — — (6) 


A=43. 0 (2), 1 (13), 2 (4), 3 (4), 4 (4), 5 (2) 

(1, 43] ++ (13), [43, 43] —— (16) 
A=44. 0 (6), 1 (2), 2 (11), 3 (4), 4 (4), 5 (2) 

[1, v44] (4), [44, 44] (16), [2, V44]* (3), [22, v44]* (6) 
A=45. 0 (6), 1 (9), 2 (2), 3 (9), 4 (2), 5 (3) 


[1, 45] (4), [45, V45] (16), [3, V45]* (4), [2,1 + V45]* (1), 
[6,3 + V45]* (1), [10,5 + V/45]* (5) 


A=46. 0 (4), 1 (10), 2 (10), 3 (2), 4 (6), 5 (2) 
(1, /46] ++ (8), [46, 46] —— (26) 

A =47. 0 (2), 1 (5), 2 (2), 3 (4), 4 (2), 5 (4) 
[1, V47] ++ (2), [47, v47] —— (17) 
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A=48. 0 (10), 1 (2), 2 (7), 3 (4), 4 (5), 5 (2), 6 (1) 


[1, V48] (1), [48, V48] (12), [3, V48] (3), [16, 748] (4), 
[2, V/48]* (2), [4, V48]* (1), [6, V48]* (6), [12, V'48]* (2) 


A=50. 0 (6), 1 (4), 2 (4), 3 (2), 4 (4), 5 (2), 6 (2) 
[1, 50] (14), [2, 50} (8), [5, V50}* (2) 
A=5l. 0 (4), 1 (9), 2 (2), 3 (9), 4 (2), 5 (4), 6 (2) 


[1, V51] pie (7), [51, V51] peas (14), [3, V51| 7 eee (5), 


[17, 51] — — + (6) 
A=52. 0 (6), 1 (6), 2 (2), 3 (13), 4 (8), 5 (2), 6 (2) 

[1, 52] (10), [52, V52] (16), [2, W52]* (10), [4, V52]* (3) 
A=53. 0 (2), 1 (9), 2 (4), 3 (6), 4 (2), 5 (4), 6 (2) 

(1, 453] + (22), [2,1 + V53]* — (7) 
A=54. 0 (8), 1 (2), 2 (8), 3 (6), 4 (4), 5 (2), 6 (2) 

[1, 54] (10), [54, V54] (16), [3, V54]* (2), (6, V54]* (4) 
A=55. 0 (4), 1 (13), 2 (4), 3 (4), 4 (4), 5 (5), 6 (2) 
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[1, ¥55] + + + (4), (55, W55] + — — (16), [2,1 + V55] — — + (8), 


[3,1 + V55] — + — (8) 
A=56. 0 (8), 1 (6), 2 (7), 3 (2), 4 (7), 5 (2), 6 (2) 
[1, V56] (2), [56, V56] (14), [4,2 + V56] (4), [5,1 + V56] (4), 
[2, V56]* (2), [14, V56]* (8) 
A =57. 0 (4), 1 (13), 2 (2), 3 (11), 4 (2), 5 (4), 6 (2) 
[1, V57] ++ (6), (57, V57| —— (16), [2,1 + V57]* —— (7), 
[6,3 + V57]* ++ (9) 
A=58. 0 (4), 1 (6), 2 (10), 3 (4), 4 (6), 5 (4), 6 (2) 
[1, V5] ++ (20), [2, 458] —— (16) 
A=59. 0 (2), 1 (5), 2 (6), 3 (6), 4 (2), 5 (4), 6 (2) 
(1, W59] ++ (9), (59, W59} —— (18) 
A=60. 0 (12), 1 (2), 2 (11), 3 (4), 4 (6), 5 (2), 6 (3) 
[1, V60] (2), [60, 60] (16), (3, V60] (4), [5, V60} (6), 
[2, V60]* (1), [6, V60]* (3), [10, V60]* (2), [30, V60]* (6) 
A=6l1. 0 (2), 1 (5), 2 (6), 3 (6), 4 (2), 5 (4), 6 (2) 
[1, V61] + (36), [2,1 + V61]* — (11) 
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A =62. 0 (4), 1 (2), 2 (4), 3 (2), 4 (4), 5 (2), 6 (4) 
(1, V62] gaa (2), (62, V62| ee (20) 

A=63. 0 (6), 1 (5), 2 (2), 3 (9), 4 (2), 5 (4), 6 (2), 7 (1) 
[1, V63] (1), (63, V63] (14), [7, V63] (7), [2,1 + V63] (2), 
[3, V63]* (2), [21, V63]* (5) 

A=65. 0 (4), 1 (11), 2 (2), 3 (10), 4 (2), 5 (5), 6 (2), 7 (2) 
[1, V65] ++ (16), [5, V65] —— (6), [2,1+ V65]* —— (9), 
[10,5 + /65]* +4 (7) 

A=66. 0 (8), 1 (6), 2 (4), 3 (4), 4 (6), 5 (2), 6 (4), 7 (2) 
[1, 66] ++ + (8), (66, 66] — — + (16), [3, /66] — + — (4), 
[6, V66) + ~— — (8) 

A =67. 0 (2), 1 (13), 2 (8), 3 (4), 4 (4), 5 (6), 6 (2), 7 (2) 
[1, V67] ++ (19), [67, V67] —— (22) 

A=68. 0 (6), 1 (2), 2 (9), 3 (2), 4 (6), 5 (2), 6 (4), 7 (2) 
[1, V68} (4), [68, 68] (16), [2, V68]* (8), [4,2 + V68]* (5) 

A=69. 0 (4), 1 (9), 2 (6), 3 (13), 4 (2), 5 (6), 6 (2), 7 (2) 
[1, V69] ++ (8), (69, 69] —— (26), [2,1 + V69]* —— (2), 
[34,1 + V69]* +— (8) 

A=70. 0 (8), 1 (6), 2 (10), 3 (2), 4 (8), 5 (4), 6 (4), 7 (2) 
[1, 70] + + + (6), [70, /70] + — — (18), [2, V’70] — + — (10), 
[10, /70] — — + (10) 

A=71. 0 (2), 1 (13), 2 (2), 3 (4), 4 (4), 5 (4), 6 (2), 7 (2) 
(1, V71] ate (6), [71, V71] =! 6 (27) 

A=72. 0 (12), 1 (2), 2 (7), 3 (8), 4 (7), 5 (2), 6 (5), 7 (2) 
[1, 72] (2), (72, 72] (16), (8,4 + 72] (5), [4,2 + V72] (3), 
[2, V72]* (4), 3, V7)" (1), [4, V72]* (8), 6, V7)" (2), 
[24, /72]* (4) 

A=73. 0 (2), 1 (21), 2 (4), 3 (8), 4 (4), 5 (8), 6 (2), 7 (2) 
(1, V73] + (30), [2,1 + V73]* + (21) 

A=74. 0 (4), 1 (2), 2 (12), 3 (4), 4 (4), 5 (2), 6 (4), 7 (2) 
[1, V74] ae (20), [2, V74] —F (14) 
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A=75. 0 (6), 1 (5), 2 (2), 3 (9), 4 (2), 5 (5), 6 (4), 7 (2) 
(1, 75] (2), (75, V'75] (17), [3, V75] (2), (25, 75] (11), 
[5, V75]* (1), [15, V75]* (2) 
A=76. 0 (6), 1 (10), 2 (17), 3 (2), 4 (12), 5 (4), 6 (4), 7 (2) 
[1, V'76] (14), (76, v’'76] (26), [2, V'75]* (7), [4,2 + V’76]* (10) 
A=77. 0 (4), 1 (9), 2 (2), 3 (6), 4 (2), 5 (6), 6 (2), 7 (3) 
[1, V77 “ets (4), [77, V77| ae (22), (2,1 a V77\* St (1); 
[14,7 + V77]* —+ (7) 
A=78. 0 (8), 1 (6), 2 (4), 3 (4), 4 (4), 5 (2), 6 (6), 7 (2) 
[1, 78] + + + (2), (78, /78] — + — (20), [2, /78] — — + (4), 
[13, V78] SS (10) 
A=79. 0 (2), 1 (13), 2 (8), 3 (10), 4 (6), 5 (6), 6 (2), 7 (4) 
(1, /79] ++ (2), (79, V79] —— (23), [3,1+ V79] —— (5), 
[3,2 + V79] —— (5), [9,4 + V79] ++ (8), [9,5 + V79] ++ (8) 
A =80. 0 (10), 1 (2), 2 (7), 3 (2), 4 (6), 5 (4), 6 (4), 7 (2), 8 (1) 
[1, V80] (1), [80, V80] (16), [5, V80] (2), [16, V80] (5), 
[2, V80]* (2), [4, 80] (4), [8, v'80]* (8) 
A = 82. 0 (4), 1 (8), 2 (10), 3 (2), 4 (8), 5 (4), 6 (4), 7 (2), 8 (2) 
[1, V82] ++ (18), [2, V82] ++ (10), [3,1 + V82] —— (8), 
[3, 2+ 82] —— (8) 
A = 83. 0 (2), 1 (5), 2 (2), 3 (4), 4 (2), 5 (4), 6 (2), 7 (4), 8 (2) 
(1, V83] ++ (9), (83, V83] —— (18) 
A =84. 0 (12), 1 (2), 2 (15), 3 (6), 4 (6), 5 (2), 6 (7), 7 (2), 8 (2) 
[1, V84] (6), [84, V84] (18), [7, V84] (6), [12, V84] (6), 

[2, /84]* (4), [6, V84]* (10), [4,2 + V84]* (1), [12,6 + V84]* (3) 
A=85. 0 (4), 1 (21), 2 (6), 3 (6), 4 (4), 5 (11), 6 (2), 7 (4), 8 (2) 
[1, V85] ++ (28), [5, V85) —— (18), [2,1 + V85]* —+ (9), 

[10,5 + V85]* +— (5) 

A=86. 0 (4), 1 (6), 2 (4), 3 (6), 4 (8), 5 (2), 6 (4), 7 (2), 8 (2) 
[1, V86] ces (16), [86, V86) |. (22) 

A = 87. 0 (4), 1 (5), 2 (2), 3 (9), 4 (2), 5 (4), 6 (4), 7 (4), 8 (2) 
[1, /87] + ++ (3), [87, V87] — + — (18), [3, V87] +—— (9), 
[29, 87] — — + (6) 
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A =88. 0 (8), 1 (6), 2 (17), 3 (2), 4 (13), 5 (4), 6 (6), 7 (2), 8 (2) 
[1, 88] (5), [88, V88] (20), [8, V88] (13), [11, V88] (4), 

[2, V88]* (6), [4, V88]* (12) 

A=89. 0 (2), 1 (13), 2 (6), 3 (12), 4 (2), 5 (6), 6 (2), 7 (4), 8 (2) 
[1, /89] + (28), [2,1 + V89]* + (21) 

A=90. 0 (12), 1 (2), 2 (4), 3 (6), 4 (4), 5 (4), 6 (6), 7 (2), 8 (2) 
[1, V90] (2), [90, 90] (18), [2, V90] (2), [18, V90] (10), 

[3, V90]* (6), [6, V90]* (4) 

A=91. 0 (4), 1 (21), 2 (4), 3 (4), 4 (6), 5 (8), 6 (2), 7 (5), 8 (2) 
[1, V91] (12), [91, 91] (21), [7, V91] (10), [13, 91] (13) 

A=92. 0 (6), 1 (6), 2 (11), 3 (2), 4 (6), 5 (2), 6 (6), 7 (2), 8 (2) 
[1, V92] (6), [92, 92] (24), [2, V92]* (2), [46, V92]* (11) 

A =93. 0 (4), 1 (9), 2 (2), 3 (15), 4 (4), 5 (6), 6 (4), 7 (4), 8 (2) 
[1, V93] ++ (10), [93, 93] — — (28), [2,1+ V93]* — + (3), 
[6,3 + V93]* + — (9) 

A=94. 0 (4), 1 (6), 2 (18), 3 (4), 4 (8), 5 (4), 6 (4), 7 (4), 8 (2) 
[1, V94] ++ (12), [94, V94] — — (42) 

A=95. 0 (4), 1 (5), 2 (6), 3 (4), 4 (2), 5 (7), 6 (2), 7 (4), 8 (2) 
(1, M95] + + + (2), (95, 495] + — — (20), (2,1 + V95] — — + (4), 
[7,5 + V95] — + — (10) 

A=96. 0 (12), 1 (6), 2 (7), 3 (4), 4 (11), 5 (2), 6 (9), 7 (2), 8 (3) 
[1, V96] (2), [96, 96] (21), [32, 96] (7), [2, V96]* (1), 

[3, V96]* (6), [4, V96]* (2), [6, V96]* (2), [8, V96]* (4), 
[16, /96]* (3), [48, /96]* (8) 

A=97. 0 (2), 1 (21), 2 (4), 3 (8), 4 (6), 5 (10), 6 (2), 7 (6), 8 (2) 
[1, /97] + (36), [2,1 + V97]|* + (25) 

A=98. 0 (6), 1 (2), 2 (4), 3 (2), 4 (4), 5 (2), 6 (4), 7 (2), 8 (4) 
[1, V'98] (2), [98, V98] (26), [7, V98]* (2) 

A=99. 0 (6), 1 (9), 2 (6), 3 (15), 4 (2), 5 (4), 6 (4), 7 (4), 8 (2), 9 (1) 


[1, V99] (1), [99, V99] (18), [9, V99] (9), [11, V99] (2), 
[7,1 + V99] (4), [7,6 + V99] (4), [14,1 + V99] (3), 
[14,13 + 99} (3), [3, V99]* (3), [33, V99]* (6) 
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A =101. 0 (2), 1 (15), 2 (2), 3 (6), 4 (4), 5 (6), 6 (4), 7 (4), 8 (2), 9 (2) 


(1, V101] + (20), [4,1 + 101] + (8), [4,3 + 101] + (8), 
(2,1+/101]* — (11) 


A =102. 0 (8), 1 (2), 2 (8), 3 (4), 4 (4), 5 (4), 6 (6), 7 (2), 8 (4), 9 (2) 


[1, ¥102] +++ (10), [102, 102] — + — (20), 
[3, V102] States (6), [6, V102] a ies (8) 


A = 103. 0 (2), 1 (13), 2 (8), 3 (4), 4 (4), 5 (8), 6 (2), 7 (6), 8 (2), 9 (2) 
[1, 103] ++ (18), [103, 103) — — (33) 
A = 104. 0 (8), 1 (2), 2 (13), 3 (4), 4 (9), 5 (2), 6 (6), 7 (2), 8 (4), 9 (2) 


[1, V'104] (5), [104, v'104] (20), [8, V104] (7), [13, v'104] (4), 
[2, /104}* (10), [4, V104]* (6) 


A =105. 0(8), 1(13), 2(2), 3(15), 4(2), 5(9), 6(4), 7(5), 8(2), 9(2) 


[1, V105] + + + (4), [105,105] — + — (20), [3, V105] + — — (4), 
[15, V'105] Sede ) [2,1 + V/105]* Siar 8) 

[4,1 + V105]* +++ (4), [6,3 + V105]* — + — (8), 

[10,5 + V105]* + — —(11) 


A =106. 0(4), 1(14), 2(10), 3(2), 4(14), 5 (4), 6(6), 7(4), 8(4), 9 (2) 
[1, 105) ++ (34), [2, V106] —— (30) 

A= 107. 0 (2), 1 (5), 2 (2), 3 (8), 4 (4), 5 (4), 6 (2), 7 (4), 8 (2), 9 (2) 
[1, /107] ++ (13), [107, 107] —— (22) 

A = 108. 0(12), 1(2), 2(11), 3(8), 4(6), 5(2), 6(9), 7(2), 8(4), 9 (2) 


[1, 108] (6), (108, 108] (26), [2, /108]* (5), [3, V108]* (2), 
[6, V108]* (1), [9, V108]* (6), [18, V108]* (2), [54, V108]* (10) 


A= 109. 0(2), 1(21), 2(12), 3,(10), 4(4), 5 (12), 6(2), 7(8), 8 (2), 9(2) 
[1, /109] + (58), [2,1 + V109]* (17) 

A=110. 0 (8), 1 (2), 2 (4), 3 (2), 4 (4), 5 (4), 6 (4), 7 (2), 8 (4), 9 (2) 
[1, V110] + + + (2), [110, v110] + — — (20), [2, v110] — — + (4), 
[5, v'110 ali aes (10) 

A=111. 0 (4), 1 (13), 2 (2), 3 (9), 4 (4), 5 (4), 6 (6), 7 (4), 8 (2), 9 (2) 
(1, 111] ++4 (8), [111, Y111] — + — (22), 
(2,1 + V111] — — + (5), (6,3 + V111] + —— (15) 
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Answers to Exercises 


Answers to Exercises for Chapter 1 


5. Although the binary algorithm is slightly more efficient, there 
will probably be little if any difference in the execution times. 


6. In binary, 33 becomes 100001 and 21 becomes 10101 so the 
product in binary is simply 1010110101. This represents 512 + 128 
+32+16+4+1 = 693. 


7. 85352841855662246530010669104529797287. 
8. The quotient is 1818178099 and the remainder is 3082848597. 


Answers to Exercises for Chapter 2 


1. If y is a multiple of 3, y? is too. If y is one more than a 
multiple of 3, say y = 3n +1, then y? = 9n? + 6n+ 1 is one more 
than a multiple of 3. If y is two more than a multiple of 3, then 
y? = (8n+ 2)? = 9n? + 12n + 4 is again one more than a multiple 
of 3. Therefore, there is no y whose square is one less than a multiple 
of 3, let alone one whose square is one less than a square times 3. 

2. Trial-and-error, best aided by a programmable calculator as in 
Exercise 9, gives the sequence of ratios 4, +, 2, 2, 4, #2, %, 4, 2 
... . Lhe odd-numbered steps are easily seen to be given by the rules 
D=n+dand N = D+2d where n and d are the old numerator and 
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denominator and N and D are the new ones. The rule N = D+d 
for the even-numbered steps is also easy to see. The rule for D on 
even-numbered steps is less obvious. It is (except for the second step) 
that D is the sum of the two previous denominators, or, in a rule that 


works in all cases, D = nd 


3. The identity 277 + 2(x+y)? = (27+y)*+y? is simple algebra. 
If 2x7 +1 = y”, the desired conclusion 2(x+y)? —1 = (24+)? follows 
when 2x7 + 1 is subtracted from both sides. Similarly, 2x? — 1 = y? 
implies (2x + y)? -1=2(x+ y)?. 

4, 4,2 9 38 16l | generated by D=n+2d and N =2D+d 
alternates between n? = 5d? + 1 and n? = 5d? — 1. 


5. Except for the trivial solution y = 1 when Az = 0, the equation 
Az? +1=y? has a solution if and only if A is not a square, although 
this is by no means obvious. It is less easy to say when Az? — 1 = y? 
has a solution; in the language of Chapter 23, it has a solution if and 
only if A is not a square and the module [A, VA] is principal (except 
when A=xz=1 and y=0). 

7. All solutions of 0 + B = U) can be found by taking all fac- 
torizations B = pq as a product of two factors in which p > q and 
setting y = Pra xz = ©;4, ignoring cases in which there are no such 
numbers y and z (i.e., cases in which one of p and q is even and the 
other is odd). All solutions of z? + B = y” are obtained in this way. 
The solutions of the given problem are derived from those, if any, in 
which z is divisible by the square root of A. 


8. ‘The sequence of squares 1, 4, 9, 16, ... is the sequence 1, 1 + 
3,14+34+5,14+3+4+547,..., as is easily seen. The algorithm 
checks whether N has the form 1+3+5+---+(2n—1) for some n. 

10. See the solution of Pell’s equation in Chapter 19. 


11. s = 3166815962 and d = 4478554083 satisfy 2s? + 1 = d? 
because in both cases the number is 20057446674355970889. 


Answers to Exercises for Chapter 3 


1. The squares mod 5 are 0, 1, and 4 and the squares mod 14 are 
0,1, 4,9, 16=2,24+9=11,114+11 = 22=8, and8+13=21=7 
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are squares mod 14. At the next step, 7+ 15 = 22 = 8 is a repeat, 
and all others will be repeats. A possible algorithm is the following 
variation on the algorithm of Exercise 8, Chapter 2: 


Input: A modulus a and a number N 
Algorithm: 
Letk=1,t=WN 
While N >a 
Reduce N by a 
End 
While a > k andt #0 
Ift<kaddatot 
Reduce t by k and increase k by 2 
End 
Output: If t = 0 print “N = (45+) mod a”, else print “N is not a square 
mod a” 


2. ‘The numbers that are 2 mod 3 are 2, 5, 8, 11, 14, 17, 20,.... 
Mod 5 they are 2, 0, 3, 1, 4, 2, 0, 3, 1, ... , from which it is clear that 
every fifth term is 1 mod 5, so the solutions are 11, 26, 41, .... In 
short, the solutions of = 2 mod 3 and x = 1 mod 5 are the solutions 
of x = 11 mod 15. 


3. © = 17 mod 42. 


4. The multiples of 4 mod 15 are 4, 8, 12, 16 = 1, 5, 9, 13, 17 = 2, 
6, 10, 14, 18 = 3, ... , from which it is clear that 7 will be reached for 
the first time on the 1+ 3-4 = 13th step, because 4 is reached on the 
first step, and 4 steps increase it by 1. Thereafter, 7 will occur every 
15th step. In short, 4x = 7 mod 15 if and only if c = 13 mod 15. 


5. x =5 mod 7. 


6. Let N be a large enough number that Na > n. (For example, 
one could take N = n.) Then u = Na — n is a number for which 
u+n =0 mod aand zs = u+m satisfies r+n = ut+mt+n=m mod a. 
Therefore, this congruence has a solution. If +n = mmoda and 
c+n=mmoda,thenz=2r+0=2r+utn=mt+ue2rintue 
x’ mod a, so any two solutions are congruent mod a. 


7. 2x2 = 1 mod 4 obviously has no solution, because an even 
number cannot be congruent to an odd number mod 4. On the other 
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hand, 2x = 2 mod 4 has two solutions, 1 and 3, which are not the 
same mod 4. 


8. It is the trivial equivalence relation; any two numbers are 
congruent mod 1. 


9 and 10. See the following chapters. 


Answers to Exercises for Chapter 4 


2. A possible algorithm is: 


Input: A list aj, a2,..., Gn of nonzero numbers 
Algorithm: 
While n > 1 
While a, 4 a2 
Set k = 1 
While a; > 2ka2 or a2 > 2kag 
Multiply k by 2 
End 
If ay < ag subtract ka, from a2 
Else subtract ka2z from aj 
End 
Drop a, and reduce the subscripts on the other entries by 1 
End 
Output: The list containing one number a, with which the algorithm termi- 
nates 


(For decimal arithmetic, change 2 to 10 in the three places it occurs.) 


3. In the picturesque notation of the question, F = 16 mod 19, 
% = 13mod 19, and § = 10 mod 19, so the formula holds. To do 
the same thing mod 43 requires a solution of the congruence 6% = 
1 mod 43. The method of the next chapter finds the solution xr = 36, 
which can of course also be found by trial-and-error. Then clearly u = 
2-36 = 29 mod 43 satisfies 3u = 1 mod 43 (because 3u = 3-27 = 62) 
and v = 3:36 = 22 mod 43 satisfies 2u = 1 mod 43 (because 2u = 6z). 
Thus, mod 43, the equation z + ; = 5 becomes the congruence 
36 + 29 = 22 mod 43, which is correct. In the mod 143 case, one 
can similarly find that x = 24 is a solution of 62 = 1 mod 148; then 
u = 2x mod 143 and v = 3x mod 143 satisfy x + u = v mod 148 is 
described by Z + 3 = 5 because 3u = 1 and 2u = 1. The reason 
this always works is that 6x = 1modn has exactly one solution 
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when n is relatively prime to 6 (see the next chapter); then 3u = 
1 mod n and 2v = 1 mod n have just the solutions 2x and 3x mod n 
and the statement that « + u = v mod n follows immediately from 
the observation that both sides are = 3x mod n. This is simply the 
process of finding the least common denominator 6 of the fractions 
3 


and writing the equation as the obvious equation é + F =F: 


Answers to Exercises for Chapter 5 


1. (a) 283-123 = 76- 458+ 1 and 47-458 = 175-123+1. The 
algorithm takes 13 steps, or 11 if the “speeded up” version is used. 


(b) The number 47 - 458 is 0 mod 458 and 1 mod 123, while the 
number 283-123 is 0 mod 123 and 1 mod 458. Therefore, 100-47-458 
is 0 mod 458 and 100 mod 123 while 300 - 283 - 123 is 0 mod 123 
and 300 mod 458, so the sum of these two numbers solves the given 
simultaneous congruences. 


(c) Division of the solution 100-47-458 + 300-283-123 by 123-458 
leaves a remainder 32818, which is the smallest solution. 


2. (a) If x > b in a solution of d+ za = yb, then yh = d+ 2a > 
xa > ba so y > a and ab can be subtracted from both sides to find 
a solution d+ (a — b)a = (y — a)b in which z is reduced to x — b. 
Repetition of this procedure must eventually reach a solution in which 
x <b. (b) Since the equation d+ xa = yb can be divided by d, it 
will suffice to show that there is at most one solution (z,y) of an 
equation of the form 1+ 2a = yb in which x < b. If1l+2’a = y’d, 
then v’ =2’4+a(1+a’a) =e’ +24 a0'a=2+2'(14+20a) = 2 mod), 
so if x and 2’ are both less than b, they must be equal. 

3. (a) At each step of the new algorithm, define d to be va — ub 
and e to be yb — xa. Then both algorithms terminate if and only if 
d = e, which is to say, if and only if a(vu+ x) = b(u+ y). Otherwise, 
both algorithms leave x and y unchanged and change u to u+ y and 
v to v+z when d > e—which is to say when a(v+2z) > b(u+y)—and 
both leave u and v unchanged and change y tou+yandztov+2 
when d < e—which is to say when a(u+ 2) < b(u+y). 


184 Higher Arithmetic 


(b) Multiply the inequalities ¢ < | < { by gav to restate them 
as uqx < pxru < yqu. Let this be written A < B < C where A = uqz, 
B = pxv, and C = yqu = q(ux + 1) = A+q. Since A and B are 
both multiples of 7, B— A> x. Therefore,g=C—-A>B-—A>dg. 
Similarly, B and C’ are multiples of vy, sog=C-A>C-—B>v. 
Thus, g > x and q > v as was to be shown. 


(c) When the algorithm terminates, ¢ = aed Moreover zu+1 = 


yv at each step of the algorithm because this is true of the initial 
values x = u = 0 and y = v = 1 and it remains true when wu changes 
tou+y and v changes to v+ x (because x(u+y)+1 = 2ut+ay4+1= 
yu + cy = y(v+2x)) and when y changes to u+ y and x changes to 
v+a (because (v+ z)u+1=vu+ aut] = vut vy = (ut y)v). 
Moreover, ux < yv implies uvz+uzx? < uvet+yve < yu? +yvz, which 
implies “ < ¢ < % (divide by vz(v+-2)). Therefore, b > x and b > v 
by (b). Then, since * < #, which is to say ub < va, it follows that 
uv <ub< av, sou<a. 

4. According to Exercise 1, one can assume that u < a. Then 
d+ ub = va can be subtracted from ab+ d = ab+d to find b(a—u) = 
d+a(b—v), which shows that b>v and z= b—v and y=a-u. In 
short, one of (u,v) and (x, y) determines the other via v + x = b and 
u+ty=a. 

5. When a and 0 are relatively prime, d is 1 and (1) implies 
yb = 1 moda. In the suggestive notation of Exercise 3, Chapter 4, 


= ; mod a. 


6 and 7. Multiplication of az = c mod 6 by a reciprocal v of a 
mod 6b gives vax = vc mod b, so x = vc mod 6 for any solution x of 
ax = cmod b. Conversely, x = uc satisfies ar = avc = c mod 6b. 


8. A possible formulation of the algorithm is: 


Input: Three numbers a, b, and c, with b>a> 0. 
Algorithm: 
t=0 
While ¢ = 0 
m=1 
While (m+ l)a <b 
m=m+1 
End 
If ma = bthent=1 
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Else a = (m+ 1)a—bandc=(m+1)e 
End 
Let g be the quotient when c is divided by a, and let r be the remainder 
Output: If r 40 print “no solution” else print “x = q mod m” 


(One might choose to reduce c mod b each time it is changed, or 
at least to reduce g mod m at the last step. Also, instead of adding 1 
to m, one might add the largest power of 2 that can be added without 
violating ma < b.) 


10. m = 3 because the 4-digit number 1369 = 37? is the smallest 
composite number whose factors are all greater than 31. 


Answers to Exercises for Chapter 6 


1. The simultaneous congruences x = 2 mod 3, x = 3 mod 5, and 
= 2 mod 7 are equivalent to the single congruence © = 23 mod 3-5-7, 
the most general solution of which is 23+ 1057, wherez = 0,1, 2,.... 


2. The numbers k = 0, 1, 2, ..., 34, in that order, correspond 
to the pairs (0,0), (1,1) (2,2), (3,3), (4,4), (0,5), (1,6), (2,0), (3,1), 
..., (3,5), (4,6), in that order, where the step from one pair to the 
next adds 1 to each entry, except that it reduces the first entry to 0 
when it is 4 and reduces the second entry to 0 when it is 6. 


3. There are 35 letters and 35 pigeonholes. If at least one letter 
goes into each pigeonhole, then no two letters can go into the same 
pigeonhole. 


4. If a; = 0, then the condition that a; must be relatively prime 
to each a; for 7 # 7 implies that a; = 1 for 7 #72. Therefore, the 
congruences x = m,; mod a; impose no condition on z at all for 7 #2, 
whereas x = m; mod a; is the condition x = m,. This is the same as 
a single condition x = m; mod aja2---a,, as the Chinese remainder 
theorem says it should be. 


5. (a) Since g = m moda and g = nmod bd imply zr =m modd 
and x = n mod d, the existence of a solution x implies m = n mod d. 


Conversely, if m = n mod d, then x = 0 mod 4 and x = *{" mod 5 


has a solution (assume without loss of generality that m < n) because 


5 and 7 are relatively prime. (Division of d+ ua = vb by d gives an 


equation which shows that 5 and 5 are relatively prime.) For such 


186 Higher Arithmetic 


an xz, X = zd+™M satisfies X = mmoda and X = nmodb. (b) 
Clearly if x satisfies the given congruences, then 7’ = r+k- ae 
also satisfies them for every k. Conversely, if x and 2’ are solutions 
of «© = mmoda and xz = nmod J, their difference, call it y, is a 
solution of y = 0 moda and y = 0mod 6. Thus y = 0 mod § and 
& = 0 mod 5 Since 0 is a solution of these congruences, the theorem 
of the text then implies that 4 = 0 mod ($) - (5), so y is a multiple 
of d-(S)- (4) = | as was to be shown. 

6. The solution of g-14+10 = 20 mod 23 can be accomplished by 
the simple steps 14q = 10 mod 23, 28q = 20 mod 23, 5g = 20 mod 23, 
from which the solution g = 4 is apparent and the solution 4-14+10 = 


66 follows. 


Answers to Exercises for Chapter 7 


2. What is to be shown is that if Ar? = y” where A, z, and y are 
numbers, then A is a square. The fundamental theorem of arithmetic 
implies that the number of times any given prime factor divides a 
square is even. ‘Therefore, for any prime factor p, the number of 
times p divides A plus an even number is equal to an even number. 
Therefore, the number of times p divides A is even. Therefore A is the 
square of the number that is the product of the same distinct prime 
factors as A in which each occurs half as many times as it occurs in A. 


4 and 5. The improvement of Exercise 4 should, roughly, make 
the program twice as fast, and that of Exercise 5 should be an even 
greater improvement. 


Answers to Exercises for Chapter 8 


1. a? = 1 when a ¥ O and 0° = 0 when 6 # O. There is no 
reasonable definition of 0°, any more than there is of at 


2. The orders of the numbers 1 through 12 mod 13 are 1, 12, 3, 
6, 4, 12, 12, 4, 3, 6, 12, 2, respectively. 

A. 249 = 1 mod 11, 27° = 4 mod 21, 22° = 1 mod 31, 2*° = 1 mod 
Al, 2°° = 4mod 51, 2° = 1 mod 61, 27° = 1 mod 71, 2°° = 40 mod 
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81, 29° = 64 mod 91, and 2!°° = 1 mod 101. As for regularities, see 
later chapters, especially Chapter 11. 


6. The theorems of Chapter 10 will provide ways of predicting the 


2-1 mod 


outcomes of many such calculations—such as computing a 
n—which can be used to check that the program you develop is pro- 
ducing correct answers. 


Answers to Exercises for Chapter 9 


1. A number in the suggested form qc +7 is relatively prime to 
c if and only if r is relatively prime to c. Therefore, exactly p- ¢(c) 
numbers less than pc are relatively prime to c (q can have any of the 
values 0, 1, ..., p—1 but r must be relatively prime to c) and the 
problem is to determine how many of these are relatively prime to pc. 
If p divides c, then all of them are relatively prime to pc. Otherwise, 
for any given r, exactly one of the p numbers qc + r is divisible by 
p because the congruence gc + r = 0 mod p has a unique solution 
q mod p (c has a reciprocal mod p). Therefore ¢(pc) = (p — 1)(c) in 
this case. 


2. The formula doesn’t really involve fractions, because to mul- 
tiply c by (1 — ) means to divide c by p (and by assumption p is a 
divisor of c) and then multiply by p— 1. The proposition of Exercise 
1 shows that if the formula gives the correct value of ¢(c), then it 
gives the correct value of ¢(pc) for any prime c. Moreover, it gives 
the correct value of ¢(1), in which case there are no prime divisors 
of c. Therefore, the value of ¢(c) for any product of primes c can 
be found starting with $(p) = p—1 for one of the prime factors of 
c and then multiplying by the primes one at a time. Each time c is 
multiplied by a new prime, ¢(c) is multiplied by p — 1 instead of p. 


3. (60) = 16. It counts 1, the 14 primes greater than 5 and less 
than 60, and the composite number 49. 


4. The formula of Exercise 2 shows that both ¢(mn) and ¢(m)¢(n) 
are mn(1 — Bol — =) (1 - =) where pj, p2,---, Pr are the dis- 
tinct prime factors of mn, provided m and n have no prime factors 


in common. 
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Answers to Exercises for Chapter 10 


2. (a) For any numbers a and 6 and for any prime p, (a + 6)? = 
aP + bP mod p. 

(b) The coefficient of a*b?~* in the expansion of (a+b)? is IGE 
The numerator contains the factor p and the denominator does not, 
unless k = p or k = 0 (because p, being prime, does not divide any 
number less than p). Therefore, this coefficient, which is of course a 
number, is 0 mod p. 

(c) The formula in (a) implies (a + b+ c)? = (a+b)? +@ 
aP + bP + cP mod p and in the same way implies (a+ b+---+e)? 
aP + bP +.---+ e? mod p for any number of summands a, 0, ..., e. 
When there are k summands, all equal to 1, this formula says that 
kP = k mod p, which is Fermat’s theorem. 


3. By the corollary, the order of 2 mod p divides n. Since n is 
assumed to be prime, the order of 2 mod p must then be n. Also by the 
corollary, the order of 2 mod p divides ¢(p) = p—1, sop=1 mod n, 
as was to be shown. 


A prime factor of 2’ — 1 would have to be congruent to 1 mod 7. 
The smallest such prime is 29, which is greater by far than the square 
root of 2” — 1, so 2’ — 1 is prime because it has no prime factors less 
than its square root. 


A prime factor of 244 — 1 must be 1 mod 11, so the first prime to 
be tested is 23. In fact, 2'' = 1 mod 23 by simple exponentiation, so 
2'1 __ 1 = 2047 has the factor 23 and is not prime. 

The only possible prime factors of 23 — 1 are 53 and 79, because 
all other primes that are congruent to 1 mod 13 are greater than the 
square root of 2)}3—1. Because 2!° = 30 mod 53 and 2° = 55 mod 79, 
these primes do not divide 2'* — 1, so it must be prime. 

4. (a) (14ed6li9ah)(2873bk fgjc). (b) (1248e7d36blki f9gajzhc). 
(d) (le62a)(4dl9h)(27bf7)(83kgc). (e) (16aez)(41hd9) (2057 f)(8kc3g). 

5. The orders of 99, 100, and 101 mod 221 are 16, 24, and 6, 
respectively. 
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Answers to Exercises for Chapter 11 


1. The answer is not clear. On the one hand, if n passes Miller’s 
test for all prime bases less than 10, for example, then it passes Miller’s 
test for all bases less than 10, and even for all bases that are products 
of just these primes. On the other hand, if n fails Miller’s test for just 
one of two prime bases, it will fail for their product, and even if it 
fails for both, it seems less likely to pass for their product; therefore, 
it would seem that one test with the base 6 would have almost as 
good a chance of spotting a composite number as two tests, one for 
the base 2 and one for the base 3. Since the tests require relatively 
little computation, it is not very important to decide. 


2s 


Input: n, a (1 <a<nand n is odd) 
Algorithm: 
pea 
e=(n—1)/2 
While 2 divides e 
e=e/2 
t=i1+1 
End 
b=1 
Compute u = a® mod n 
If uw = 1 mod n then t = 0 
While t=1 andi>1 
If uw = —1 mod n then t = 0 
Else u = u? modn and i=i-1 
End 
Output: If t = 1, n is composite. Otherwise, n passes Miller’s test for the 
base a 


(If a'"-)/2" = 1 mod n, then n passes Miller’s test for the base 
a. Otherwise, n passes Miller’s test only if a("~))/?""’ = —1 for some 
FSO oon) 

3. 2709 = 1 but 249° = 2260 mod 12801 and 54° = 1 but 5709 = 
2260 mod 12801. (On the other hand 3°40° = 2874 mod 12801 and 
7°400 — 9436 mod 12801, so 12801 fails Miller’s test for the bases 3 
and 7 immediately. ) 
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Answer to Exercise for Chapter 12 


If you tried to do something clever in choosing e or in choosing p 
and q, you were probably playing into the hands of codebreakers. It 
is essential to make random choices. 


Answers to Exercises for Chapter 13 


1. The first 12 powers of 2 mod 13 are distinct. They are 2, 4, 8, 
16 = 3, 6, 12, 24 = 11, 22 = 9, 18 = 5, 10, 20 = 7, 14=1. There 
are (12) = 4 primitive roots mod 13, namely, 2, 2° = 6, 2’ = 11, 
and 2! = 7. The remaining numbers less than 13 are partitioned 
into ¢(6) = 2 numbers whose order mod 13 is 6 (they are 2* = 4 and 
21° = 10), 6(4) = 2 numbers whose order is 4 (they are 2° = 8 and 
2° = 5), 6(3) = 2 numbers whose order is 3 (they are 24 = 3 and 
28 = 9), ¢(2) = 1 number whose order is 2 (it is 2° = 12 = —1) and 
o@(1) = 1 number whose order is 1 (it is 1). 


2. Partition the p — 1 positive numbers less than p into subsets 
S, by putting in S$, all numbers whose orders mod p are r. The 
subset 5S; is nonempty if and only if r divides p — 1, and in this case 
it contains exactly ¢(r) elements. The formula says simply that the 
p—1 numbers in all the sets put together can be counted by counting 
the elements in each of the sets separately and adding the results. 


3. If a has order 25 mod p, then a’, a'°, a!°, and a?" have order 


5 mod p, a?° 
powers of a mod p all have order 25. 


= 1 has order 1 mod p, and the remaining 20 distinct 


4. Neither 2°° nor 27° is congruent to 1 mod 101, so 2 is a 
primitive root mod 101. Therefore, its 4th power 16 has order 25 = 
*9'=+ mod 101, and 16° = 95 mod 101 has order 5. Exercise 3 then 
shows how to find all numbers whose orders mod 101 are 5 or 25, 
which are the other possible answers. 


5. Gauss’s method in this case is simply to compute 2'28 mod 257, 
mod 257, until an answer other than 1 (which must be —1) is 
found. In fact, 3128 = —1 mod 257, so 3 is a primitive root mod 257. 
There are 128 primitive roots mod 257, namely, the odd powers of 3. 
Since 11/75 = 1 mod 257, it is not a primitive root mod 257. 


3128 
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7. There are none for 43. There are two each for the other two; 
for 37 they are +6 and for 41 they are +9. 


Answers to Exercises for Chapter 14 


1. (a) The numbers are 12, 0, 11, 0, 0, 11, 11, 11, 11, 0, 0, 11, 
0. Simply put, the answer is 0 for nonzero squares mod 13, 12 for 0, 
and 11 for other numbers. Note that 2° — 1 has 6 roots mod 13. 

(b) &&§ —1= (@—1)(2° +244 23427 +2+1)4+0 mod 13. (In 
fact, this congruence is true mod n for any n.) 

(c) The roots, by direct computation using a calculator, are 3 
(the value for 3 is 364 = 0 mod 13), 4 (1365 = 0 mod 13), 9 (66430 = 
0 mod 13), 10 (111111 = 0 mod 13), and 12 (271453 = 0 mod 13). 
Note that this polynomial of degree 5 has 5 roots. 


(d) The six roots of 2° — 1 are partitioned by the factorization 
(2 —1)(2° + a4 + 23 + x? +2 +41) into the roots of the first factor 
(the single root 1) and the roots of the second factor (the other five). 

2. By Fermat’s theorem, all 13 numbers less than 13 are roots. 
Therefore, by the theorem of this chapter, xz — a divides z!° — x for 
all a and 218 — 1 = x(x — 1)(x — 2)(x — 3) (x — 4)(x — 5) (2 — 6)(x — 
7)(x — 8)(a — 9)(x — 10)(x — 11)(a@ — 12) mod 13, a result that can be 
verified by direct multiplication (somewhat lengthy). 


3. The squares mod 7 are 0, 1, 2, and 4. Therefore, x? = 3 mod 7 
is impossible, which is to say that x*+4 has no root mod 7. Therefore, 
x? + 4x has the single root z = 0 mod 7. The cubes mod 7 are 0 and 
+1. Therefore, x* + 2 has no roots mod 7. There are of course many 
other examples. 
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Answers to Exercises for Chapter 15 


1. 
numbers indices 
Ot 28 2.3 6-7 BY 0128 45678 9 
0 17 10 15 07 26 08 12 18 27 0 30 12 13 24 20 25 04 06 26 
1 25 22 02 03 20 30 14 21 16 24 1 02 29 07 23 16 03 18 O1 08 22 
2 05 23 19 13 04 06 09 29 28 11 2 14171121 19 10 05 09 28 27 
38 01 38 15 


3. The quadratic formula calls for a square root of 2? —4-1- 
(—1) = 8. The index of 8 for p = 151 is 60, so 8 has two square roots 
mod 151, the numbers whose indices are 30 and 30 + et = 105, 
which are the numbers 59 and 92. The roots of 7+2x—1 mod 151 are 
eth) and wpe = 45. The first number is 104, as follows easily from 
+ = +22 = 76 or even more easily from ry + r2 = —2 = 149 mod 151. 
Indeed, 457 + 2-45 —1 = 2114 = 14-151 and 1042 +2-104—1= 
11023 = 73-151. The index of 8 for p = 157 is 129; since it is odd, 
x? + 2x2 —1 has no roots mod 157. 

4. (156) = 6(27-3-13) = 2-2-12 = 48 is the number of primitive 
roots mod 157. The one used in constructing the table is 139. Two 
others are 139° = 84 and 139° = 55 mod 157 because 5 and 7 are 
relatively prime to 156. The number of primitive roots mod 151 is 
(150) = 40. 


5. The index 122 of 3 is not divisible by 3, so 3 is not a cube 
mod 157. The index 147 of 2 is 3-49, so 2 has three cube roots, the 
numbers whose indices are 49, 49 + ie = 101, and 49 + 22198 = 153. 
These are 62, 136, and 116, respectively. Indeed, 62° = 2+ 1518-157, 
136° = 2+ 16022 - 157, 116° = 2 + 9942 - 157. 


6. The smallest solution 7 of 30? = 1 mod 157 is the smallest 
solution 7 of 1247 = 0mod156. Divide by the greatest common 
divisor 4 of 124 and 156 to find 317 = 0 mod 39, the smallest solution 
of which is 7 = 39. Thus, 39 is the order of 30 mod 157. The order 
of 90 mod 157 is the smallest solution 7 of 907 = 0 mod 156, which is 
76: 
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7. 10° = 67 mod 157 and 10° = 78 mod 151. (In both cases the 
index of 10 is 2 so 10® is the number whose index is 12.) 


Answers to Exercises for Chapter 16 


1. The nth term of the sequence is the ratio in which the denom- 
inator is the coefficient of /2 in (1 + V2)" and the numerator is the 
other coefficient. (This formula is clearly correct for n = 1. If it is 
correct for n — 1, then (1 + V2)” = (Nn—-1 + Dn_-1V2)(1 + V2) = 
(Nn—1+2Dn—1) + (Nn—-1+ Dn—1)V2 where Nj; and D,_, are the 
numerator and denominator, respectively, of the (n — 1)st term of the 
sequence. The definition of the sequence, which is D, = Nn—1+Dn_1 
and N, = Dn+Dn_-1 = Nn-1+2Dn_1, then shows that the formula 
is correct for n.) 


2. A term with odd index is found by multiplying the preceding 
term by 1+./3. Thus, N+DvV3 = (1+ /3)(n+dy3), which gives the 
desired formulas D=n+dand N =n+3d= D+ 2d. A term with 


even index is found by multiplying the preceding term by 2s = 


14V3_ Thus N + DV3 = 3(n+3d+(n+d)V3) =d+ 2t4 4 mt4,/3, 
which gives the desired formulas. (For terms with odd index, the 
difference between numerator and denominator is an even number— 


it is twice the previous denominator—so their sum is divisible by 2.) 


3. The nth term of the sequence (beginning with n = 0) has 
the coefficient of V5 in (2 + V5)” in its denominator and the other 
coefficient of (2+ V5)” in its numerator, from which the formulas 
D=n+2d and N = 2D +d follow easily. 


Answers to Exercises for Chapter 17 


1. Of course there are many ways to prove these equations. For 
example: 


(a) The formula y? + 2VA(y + 2VA) = y? + ayVA+ Ax? = 
y(y + 2V A) + Ax? shows that y? = Ax? mod [y + 2V A]. Therefore, 
49 = 44 mod [7 + 2V/11] so 5 = 0 mod (7 + 2V11] and [7 + 2V/11] = 
[5,7 +211]. This in turn is [5,7 + 2/11, 21+ 6V11] (the last entry 
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is three times the second). Because 21 + 6/11 = 1+ <V/11 mod 5 and 
7+ 2V/11 =0 mod [5,1+ V 11], the desired equation follows. 


(b) The congruence y* = Ax? mod [y+2V/A] in the answer to (a) 
implies 49 = 7 mod [7+-V7] and 169 = 112 mod [13+4V/7], so 49-7 = 
0 = 169—112 mod [7+ V7, 13+. 4/7| and the given module is equal to 
[7+ V7,13 + 4/7, 42,57]. By the Euclidean algorithm, [42,57] = [3], 
so the given module is [3,7 + V7, 13 + 4/7] = [3,1+ /7,1+ V7], as 
was to be shown. 


2. 5/11 + 211(22 + 7/11) = 7(22 + 7/11) and 11 + V11 + 
3(22 + 7/11) = V11(22 + 711). 

3. First, the fact that y? = Ax? mod [y + rv A] as in Exercise 1 
implies that if y+2vVA is a nonzero entry of the list, then |y? — Ax?| 
is a nonzero number that can be annexed to the list. All subsequent 
calculations can be regarded as calculations mod n for some number 
n that is in the list. If there is more than one number (as opposed 
to hypernumbers) in the list, they can be replaced by their great- 
est common divisor using the Euclidean algorithm. Therefore, one 
can assume without loss of generality that the list contains just one 
number, which is not zero. If n is that number, then nvA can be 
annexed to the list. Therefore, one can assume without loss of gen- 
erality that the list contains at least one hypernumber that is not a 
number. If v + uA and y + «VA are hypernumbers in the list in 
which 0 < x < u and zx does not divide u, then a hypernumber in 
which the coefficient of VA is less than x can be annexed to the list, 
namely, mn + (u+uv A) —q(y+aVA), where q is the quotient when 
u is divided by x and m is large enough to make the subtraction pos- 
sible. Therefore, one can assume without loss of generality that the 
list of hypernumbers has the property that the smallest coefficient of 
VA among the hypernumbers in the list divides the coefficients of V/A 
in all hypernumbers in the list. Then n and y + 2VA can be used 
to replace all hypernumbers in the list other than n and y+2VA 
with numbers. Then the Euclidean algorithm can be used to put the 
module in the form [n, y + VA] where x > 0. Moreover, since nv/A 
and A+ yvA can be annexed to this list, one can also assume x 
divides both n and y, because otherwise [n, y +2vV A] can be replaced 
with another module in the same form in which z is reduced. In other 
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words, the given module can be put in the form [e][f, g+ V/A], as was 
to be shown. Since this can be written [e][f, |g? — A|,g+ vA], one can 
also assume g* = A mod f, since otherwise it is equal to one of the 
same form in which f is reduced. See also the proof in Chapter 18. 


4. The given product can be written [f,G + VA][F,G + VA] 
because [f,G +A] = [f,g+W A] and [F,G+V A] =[F,G+ VA]. By 
definition, this product module is [fF, f(G + VA), F(G + VA), (G+ 
V A)?|. The augmented Euclidean algorithm gives a solution (2, y) of 
xf+1=yF, because f and F are relatively prime. The hypernumber 
yF(G +A) can be annexed to this list of four hypernumbers, and 
then f(G + VA) can be subtracted from it x times to find that the 
product module is [fF, f(G + VA), F(G + VA), (G+ VA)?,G+ VA]. 
The middle three terms are multiples of the last and can therefore be 
dropped. 


Answers to Exercises for Chapter 18 


1. (a) See Exercise 1(a) of Chapter 17. (b) [7,2 + V3] = [7,2 + 
V3, 3 + 2/3) = [7,2 + V3, 10 + 2/3] = [7,2 + V3, 6] = [1,2 + V3] = 
(1, /3}. (c) [11,10 + 2/3] = [11,10 + 2/3, 60 + 12/3) = [11,10 + 
2\/3, 5+ +/3] (reduce coefficients of last entry mod 11) = [11,5+ V3]. 
(d) [25 + 6V3, 20 + 7/3] = [517,25 + 6V3, 20 + 7/3) = [517,25 + 
6/3, 537 + 7/3] = (517, 25 + 63,512 + V3] = [517,5170 + 25 -6- 
512, 512+7/3] = [517, 2123, 512+/3] = [11,512+ V3] = [11,6+ V3]. 

2. First, [e] = [z, y]. Since [y+2v'A] = [e][4+2VAl, it will suffice 
to find the canonical form of [y + 2VA] in the case in which x and 
y are relatively prime. In this case, [y + xv A] = [f,g + VA], where 
f = |y? — Ax*| and g is the least solution mod f of y = gx mod f, 
as can be seen in the following way. As was shown in this chapter, 
the number f defined in this way can be annexed to the list, so the 
given module is equal to [f,y +2 A] =[f,y+avA,ry +r2v Al] for 
any r. When r is taken to be the reciprocal of x mod f (which exists, 
because a common divisor of f = |y? — Ax?| and z is a common 
divisor of x and y*), it follows that the given module is equal to 
fyteVA,ryt+VAl =[f,aft+y—czry, ry+v A] for sufficiently large 
q. Clearly qf +y—zxry = 0 mod f, so the given module is [f, ry+ VA] 
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and what is to be shown is that ry satisfies y = (ry)x mod f, which is 
clear, and that (ry)? = A mod f, which follows when y? = Ax? mod f 
is multiplied by r?. 


3. f must be a number modulo which A is a square. 


Answers to Exercises for Chapter 19 


1. Because 21 is divisible by no square greater than 1, only prim- 
itive solutions are possible. There are 4 square roots of 79 mod 21, 
which can be found by combining the square roots +1 of 79 mod 3 and 
the square roots +3 of 79 mod 7 using the Chinese remainder theorem. 
They are 4, 10, 11, 17. Application of the comparison algorithm to 
(21, 4+ 79] repeats the module (21, 4+ 79] on the 8th step without 
reaching [1], so g = 4 corresponds to no solutions of 790+21 = LD. Its 
application to [21,10 + 79] reaches [1] on steps 2, 4, 6, ... , which 
gives the sequence of hypernumbers (89 + 10/79)(80 + 9/79)” for 
n = 0, 1, 2, ... whose coefficients solve 79L) + 21 = U. Similarly, 
[21,11 + V79] leads to (10 + V79)(80 + 9/79)” and [21,17 + V79] 


leads to no solutions. 


2. When the application of the comparison algorithm is organized 
in the suggested way, it takes the form 
O 4 § Ff 111 13 138 11 7 5 4 
Fe oS: HM Oy AZ. ds. 12°90 42 & J 


The numerator of the hypernumber that gives the smallest solu- 
tion is (4 + V/13)2(5 + V13)?(7 + V/13)2(11 + V13)2(13 + V13)2 = 
(334+9V/13)?(904+18V/13)?(182+26V/13) = 32-187-26(11+3V/13)2(54+ 
V13)?(7+ /13)*. The numbers in front cancel part of the denomina- 
tor leaving (94+26/13)?(7+V/13) = 2?-6(83+23V/13)(47+13V13) = 
2? . 6 - 12(649 + 180/13) in the numerator. All the number fac- 
tors cancel and the solutions of 13.)+ 1 = U are the coefficients 
of (649 + 180/13)” for n = 0, 1, 2,.... 


4. Eighteen applications of the comparison algorithm to |1] end 
with [61, 61], after which 18 more steps are needed to return to [1]. 
The hypernumber that describes the smallest nontrivial solution of 
610+1 = U therefore has in its numerator the square of the product of 
18 factors r; +61 in which the r; are 8, 10, 16, 14, 13, 11, 9, 11, 19, 21, 
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17, 19, 31, 41, 49, 55, 59, 61. When these factors are paired and num- 
ber factors are removed, one finds a product of 9 factors 47 + 6V61, 
19 + 2V61, 17 + 2V61, 8+ V61, 23 + 2V61, 324+ 3V61, 37 + 2V61, 
53+2V61, and 61+2V61. In asimilar way, let the first 8 of these fac- 
tors be paired and let number factors be removed to find a product of 
4 factors 125+16V/61, 58+7V61, 258+33V61, and 49+4,/61. Again, 
this is a number times (7162 + 917\/61)(182 + 23/61), and finally a 
number times 172669 + 22108\/61. Multiplication by the last of the 
9 factors 61 + 2/61 gives a number times 57(232105 + 2971861). 
In fact, if one keeps track of the omitted number factors, one finds 
that all are canceled by the denominator and that the required hy- 
pernumber is the square of 232105 + 2971861 divided by 61. Since 
the hypernumber that is being squared is /61(29718 + 3805/61), the 
required hypernumber is the square of 29718+3805,/61. In short, the 
smallest number z for which 6127+1 is a square is x = 2-3805-29718 = 
226153980. This exact answer was given by Bhaskara Acharya in the 
12th century. 


5. The additional factors in the numerator and denominator of 
(4) are simply the factors that appear when (4) is used to solve Pell’s 
equation. 


6. See, for example, [E2 p. aa. 


Answers to Exercises for Chapter 20 


2. Let Q = (s* — A)(Y? — AX?) where, by assumption, s* > A 
and Y2 > AX?. Then A(Y? — AX?) +Q = s?(Y? — AX?) so AY? + 
s°AX*+Q = s*Y7+A?X?. Subtract 2AsXY from both sides and use 
the identity a?+b?—2ab = |a—b|? to find A|Y—sX|?+Q = |sY-AX|?, 
which is the required identity when Y > sX and sY > AX. 

4. ‘The square of 1+vA is 1tavAtA = 14vA + At 


a root of X* — X — 4-4. 


5. By elementary algebra, if y+ cVA is a root of X2+aX +b, 
then a = —2y and b = y? — Ax?. Therefore, y + zvA determines a 
and 6 and, in particular, determines whether they are integers. (Note 


, so 1+¥4 js 


that this also proves that 2y is an integer. Combined with the fact 
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that a product of algebraic integers is an algebraic integer, it implies 
that 22 and 2y must be integers whenever y + xvA is a unit.) 


6. Let X = y+2VA be a root of X? +aX +b. Division by 


bX? then gives + ++ ¢-~ +(4)*. Because % is an algebraic integer, 


Exercise 5 implies that 7 is an integer (as is $), sob = +1. 

7. When A is negative, y2 — Ax? is a sum of two terms; if it 
is 1, then, since the second term is at least |A| - 7 unless it is zero, 
the second term must be zero except in the cases A = —1, —2, —3, 
or —4. Since 7 = 4 is impossible in the cases A = —2 and —4 (in 
fact, —4 does not arise at all because it is divisible by the square 4), 
except when A = —1 or ~3, the only units in Q(VA) are £1, so +1 
are fundamental units. In the remaining two cases, it is easy to show 
that +./—1 are fundamental units in the case A = —1 and +ityss 


are fundamental units in the case A = —3. 


8. The equation Ay? + A = z? has a solution if and only if 
repeated application of the comparison algorithm to [A, V Al reaches 
[1]. (Since A is divisible by no square greater than 1, 0 is the only 
square root of A mod A that is less than A.) It is first to be shown that 
[1] is reached if and only if the cycle of [1] is as described. Certainly 
if the cycle is as described then [1] is reached, because the second 
half of the steps go from [A, VA] to [1]. Suppose now that repeated 
application of the comparison to [A, VA] does reach [1], say it reaches 
[1] for the first time on the nth step. What is to be shown is that n 
more steps return to [A, VA] in a way that mirrors the first n steps— 
specifically, rn4; = fn41-;4 and fn; = fn-; fori = 1, 2,...,n. The 
lemma of Chapter 26 below shows that the cycle of [1] always shows 
a symmetry of this type, whether or not it contains [A, V Al, so no 
proof will be given here, but the proof in this specific case is not at 
all difficult. The formula for the solution of Pell’s equation for an A 
for which the cycle of {1] contains [A, VA] therefore takes the form 


(fifo=**fani) <A 


where 1, T2,..., fn and fy, fo, ..., fn—1 are the numbers (in reverse 
order) used to construct the hypernumber z2 + y2VA that gives the 
smallest solution of z2 = Ay + A. The assumption that A has no 
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square divisors greater than 1 easily implies that z2 = 0 mod A and 
the remaining statements follow. 


9. In the first case, when —1 = y* — Az? has no solution in 
numbers, the coefficients of a unit must, by Exercise 6, satisfy 1 = 
y? — Ax?. Thus, if x and y are integers, |z| and |y| must be numbers 
that satisfy Pell’s equation. Therefore |y|+|2|VA = (y:+21VA)” for 
some number n. Since (y; + 21 VA)(y1 — 21 VA) = |, it follows that 
ly| — |alVA = (yi. +tiv'A)~™, so +(\yl + |2|VA) = +(y1 + 21v'A)*” 
and all four possible sign combinations are taken on by the formula 
te”. The second case is similar. 


10. If there are such units, there are odd numbers z and y for 
which y? — Ax? = +4. Since the square of an odd number is 1 mod 
8, it follows that 1 = A+4 mod 8, so A=5 mod 8. 


11. If the norm of pes is —1 then the norm of its square is 
1 and its square ieee ee is cae vA where x’ and y’ are odd. 
(In fact, y’ = 3mod4.) Therefore, such a unit implies a primitive 
solution of y* = Az? + 4, which implies that repeated application of 
the comparison algorithm to [4, g+ V Al reaches [1] for the square root 
g of 3 mod 4 that is determined by y = gx mod 4. This is the needed 
condition. The methods of Chapter 26 easily show that this is true if 
and only if [4,1 + VA] or [4,3 + VA] is in the cycle of [1], and in fact 
show that it is true if and only if both of them are in the cycle of [1]. 
This is not the case when A = 37. 


12. When A = 21 the successors of [1] are [4,1], [7,0], [4,3], 
and [1]. The last step uses r = 5 and corresponds to the equation 


21-1%+4+ 4 = 5%, which leads to the unit S+V2l whose square is 


234521 and whose cube is 55 + 12\/21, which gives the smallest 
solution of Pell’s equation. The method is clearer in the less trivial 
example A = 69. The successors [f1, 9: + V69], [f2,92 + V69I, ... 
of [1] return to [1] for the first time at [fg,gg + V/69] = [1]. Because 
[fs,95 + V69] = [4,1 + V69] the smallest solution of Ax? + 4 = y? is 
given by 


Dio ee sk —— = )) 
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SO 25-+8V69 is a unit. Its square is the unit 623+ 75V69 (the equation 
69 - 75% + 4 = 6237 can also be found by applying the theorem of 
Chapter 19 beginning with the module [f3, g3 + V69] = [4,3]) and its 
cube is 7775 + 936/69, whose coefficients are the smallest solution 


e240) v9 is a fundamental unit. In 


of Pell’s equation. Therefore, 
the same way, whenever the cycle of [1] contains [4,1 + VA] but not 
[A, VA] (the next case is 77) one can find a fundamental unit using the 
steps of the comparison algorithm from the last of the two [4, 1+ V A] 
and [4,3 + VA] to occur in the cycle up to the first occurrence of [1] 
to find a solution of Ar? + 4 = y? and derive from it a fundamental 


unit. 


13. A=5. By the comparison algorithm [5 + V5][20, 15 + V5] = 
[20], so multiplication by [20,5 + V5] and division by [20] gives [5 + 
V5] = [20,5 + V5). Thus 5? — 5-1? = 20 and division by 20 gives 
5- (4)? — ($)? =1. Thus, 1+-Vv5 is a unit. Its cube is 2+ /5, which 
gives the smallest solution (x,y) = (1,2) of y2 +1 = 5x7, and the 


fundamental unit is 


A= 13. By the comparison algorithm, [5 + /13][19 + V/13][39 + 
V/13][52, 13 + 13] = [12][29][52], from which [13 + 3/13] = (52, 39 + 
13}. It follows that S+v13 has norm —1. Its cube is 18+5./13 which 
gives the smallest solution of y? + 1 = 1327, and a fundamental unit 


is ak V13- 


A = 29. Here [116,29 + 29] = [29 + 5\/29] leads to the funda- 


mental unit orvas v 29 


A = 53. Application of the comparison algorithm to [212,53 + 


V 53] leads to [212,159 + 53] = [53 + 7/53]. A fundamental unit is 
7+V53 
—— 


A = 61. In this case, [244,183 + V61] = [305 + 39/61] and a 


fundamental unit is 39+ 5V63 | (The square of this unit is the unit 


1523+ 195V61 and its cube is the unit 29718 + 3805./61 with norm —1. 
The square of this unit is the sixth power of the fundamental unit 
and the smallest solution of Pell’s equation. Thus, the smallest x for 
which 612? + 1 is a square is zg = 2- 29718 - 3805, as was found in 
Exercise 4 of Chapter 19.) 
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A = 85. Here [340, 85 + /85] = [85 + 9/85] and a fundamental 
unit is o+V85 

A = 109. [436,109 + 7109] = [2725 + 261/109]. Fundamental 
unit is elton v109 (The cube of the fundamental unit is 8890182 + 
851525,/109 and the smallest x for which 109x? + 1 is a square is the 


prodigious number 2 - 8890182 - 851525 = 15140424455100. ) 


Answers to Exercises for Chapter 21 


1. When A = 2, circles go around 1 and 7, squares around 3 and 
5. For A = 3 the circles are 1 and 11, the squares 5 and 7. For A = 5, 
circles are 1, 9, 11, 19 and squares are 3, 7, 13, 17. For A = 6, circles 
are 1, 5, 19, 23 and squares are 7, 11, 13, 17. In all cases, if k gets a 
circle, then so does 4A — k. 


2. ~(60) = 16. The squares 1 and 49 and their negatives 11 and 
59 account for 4 circles. Since 15 is a square mod 7, 7 times any 
circled number is circled, which accounts for another 4 and there are 
no others. 


3. If A is an odd square, the squares of 1, 3, 5,..., A —2 are 
distinct mod A (because no two of these numbers sum to 0 mod A) 
A-1 A-1 


and there are “;- of them, which gives “;- numbers less than 4A 


that must be circled. Subtracting one of these from 4A gives another 
number that must be circled, which gives +l new numbers that 
must be circled, because they are distinct from each other and distinct 
from the first set of A=} because they are all 3 mod 4 and the first 
set, being squares of odd numbers, are all 1 mod 4. Thus, the A — 1 
circled numbers are all accounted for. Conclusion: Let A and p be 
distinct odd prime numbers. If p = 1 mod 4, then A = LU] mod p if 
and only if p = LI mod A, but if p = 3mod4, then A = LU mod p 
if and only if —p = UmodA. (This is the way Gauss states the 


“fundamental theorem” in Article 131 of [G].) 


Answers to Exercise for Chapter 23 


1. (a) The content is [3,0, 2] = [3,25] = [1]. (b) The square 
is (9,375, 75) = [3,375] = [3] ~ [1], so [3, 75] is primitive by 
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the proposition of this chapter. (c) The successor is [2,1 + 75], 
its product with [3, 75] is [6,3 + 75] by the Chinese remainder 
theorem, and the successor of [6,3 + V75] is [1], so again the module 
is primitive by virtue of the proposition. 


Answers to Exercises for Chapter 24 


2. When f and F are relatively prime, [f,g + VA|[F,G + VA] 
has the form [fF,G + VA] for some G, in which case the signature of 
the product is clearly the product of the signatures. More interesting 
examples are [2, 10][2, /10] = [2], where both factors have signa- 
ture —— and the product has signature ++, and [15, /15][3, 15] = 
[3][5, /15] ~ [2,1 + V15], where the factors have signatures — + — 
and + — — and the product has signature — — +. Note that the rule 
often fails when one or both factors are not primitive. 


Answers to Exercises for Chapter 26 


1. The first examples are [7,3 + V37] and [7,4 + 37]. Others 
occur for A = 79, 99, and 101. 


2. See Exercise 1. 


Answers to Exercises for Chapter 27 
1. In the range of the table in the appendix, only A = 37 and 
101 have the desired property. Extend the table to find others. 


2. In the range of the table, the only example is A = 79. Extend 
the table to find others. 


Answers to Exercises for Chapter 30 


s t 
na)xy + (c+ 2nb + n2a)y? is equivalent to ax? + 2bry + cy*. For 
sufficiently large n, b+ na is positive (as is c+ 2nb+n7a). 


1. Set b = 4 in formula (2) to find that ax* + 2(b+ 
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2. The change of variables x = 2; + 2y1, y = y, transforms 
22° -8ry+3y? to 2x?—5y? and z, = Y, y, = —X transforms 2x7—5y? 
to —5X*+2Y%. What is needed, therefore, is a transformation of 
5X? — 2Y? to 13u? + 12uv + 2u?. These correspond to [5,10] and 
[13,6 + 10], respectively. The first is stable and application of the 
comparison algorithm to [13, 6+ 10] gives [15+4/10][13, 6+/10] = 
[13][5, 10] in two steps. Formula (3) then gives u = 3X +2Y and 
vu = 4X + 3Y for the desired transformation. Composed with X = 
—y, = -y and Y = x, = z — 2y, this transformation is u = 22 — y, 
uv = 3x — 2y, the very transformation given by Gauss. 


3. The equation 


Dp OT FO Te Oho: <4 

Oe ee OL ack 0 
shows that —u? + pv” is equivalent to px? — y”, so the question is 
whether the module [p, ,/p] is equivalent to [1, ,/p], or, more simply, 


whether [p, ,/p| is in the principal cycle. As was seen in Chapter 27, 
this is the case if and only if p= 1 mod 4 or p= 2. 


4. The proof is exactly the same as in Chapter 17, except that 
the possibility of subtraction allows for some slight simplifications. 


5. The identity r?+(g+/W—A)(r+V—A) = oa. f-(r+V—A)-A 
analogous to (2) of Chapter 19 implies [r + veri f.g+V~A] = 
fer vA) grv-Aety-All = frtv—A), Gay Art 
V—A), 1? + A] = [f(r + V—A), (9 + V—A)(r + V—A), FF] = [f(r + 
V—A), fF], from which [f, 9+ ~/—A] ~ [F, G+V—A] follows, where r 
is the least nonnegative solution of r+g = 0mod f, F = (r?+ A)/f, 
and G is the least nonnegative solution of r= G mod F. 

6. By Euler’s criterion C,(p — 1) = (p — 1)-))/2 = 1 mod p, so 
p — 1 = g* mod p for some positive g. For example, when p = 29, 
[29,17 + /—1] is in canonical form. The comparison algorithm as in 
Exercise 5 gives [29,17 + /—1] ~ [5,2 + V—1] ~ [2,1+ V-]] ~ [J] 
and, as in Chapter 19, [29, 17+./—1] = [a+b/—1] where a+ b/—1 = 
(et v-UGtv-DUFV=)) — 2 4.5./—1, which yields the solution 29 = 
27 4.5%. The method works for every p = 1 mod 4 because r < f 
(the least nonnegative solution of r+ g = 0 mod f is less than f) so 
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f decreases until 1 is reached and the method of Chapter 19 gives a 
representation [p, g + /—A] = [a + b\/—A] and a? + b? = p. 

7. In the notation of Chapter 24, C,(—2) = C,(-—1)C,(2) = 
A1(p)A2(p) = A3(p) so [p, g + /—2] is in canonical form for some g if 
and only if p is 1 or 3 mod 8. That the comparison algorithm must 
reach [1] (after which it simply alternates between [1] and [2, /—2]) 
follows from F = "+? = (Foyt? Fa3tes = f _ ates < f for 
io 

8. C,(—3) = A1(p)C,(3) is 1 if and only if p = 1 mod 3 as one 
finds by making use of Euler’s law and C5(3) = —1, C7(3) = —1, 
and C1,(3) = 1. In this case, the method of Exercise 6 gives F < 
f whenever f > 2 so the comparison algorithm applied to [p,g + 
/—3] must reach [1] unless it reaches [2,1 + /—3]. But the latter is 
impossible because the content of [2,1 + ./—3] is 2 and the content of 
lp, 9g + V—3] is 1. | 

9. Application of the comparison algorithm to [29,13 + /—5] 
reaches [1], but its application to [7,3 + /—5] cycles through (3, 1 + 
V/—5], (3,2 + /—5], and [2,1 + /—5]. There are two equivalence 
classes of modules in this case, and a module [f, g + /—5] in canonical 
form in which f is relatively prime to 10 is in the principal class if 
f =1mod4 and f = LU) mod 5, in the other class if f = —1 mod 4 
and f UL) mod 5. Thus, p = (J+ 5U if and only if p = 1 or 9 mod 20. 
A product of two primes p and q that are both 3 or 7 mod 20 has 
the form pg = 11+ 500. These facts were known to Fermat, but he 
confessed he was unable to prove them. 


F= Mtl < Go _ ¢_24 2; thus F < f unless f = 1, s0 


Answers to Exercises for Chapter 31 


1. In this case, [sa, sb ++ VA] = [1, VA] and o = 1, so formula (2) 
implies £ = 1, F =a, and G = £, from which Y = ayu + Byv + xv 
and then X = ru — GByu — yyv. When X and Y are defined in this 
way, the formula (x* — Ay?)(au? +2Buv+yu2) = aX24+26XY4+7Y? 
holds. 
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2 
(3, 1 + V—140][9, 7 + V—140] 

= [27,21 +3/—140,9 + 9V—140, -133 + 8/—140] 
[27,21 + 3\/—140, 142 + /—140, —133 + 8V—140] 
(27, 21 + 3V—140, 7 + V—140, —133 + 8\/—140] 
(27,7 + V—140]. 


In ths cases: o-=.1,.0 = 3,:0=1,0=9, 6=]7, 8 =i, F = 27, 
G = 7 from which 


(3a? + Qry + 47y”) (Qu? + lduv + 21v2) = 27X2 + 14XY + 7Y? 
where X = xu — 2yu — Tyv, Y = 3x2u + 9yu + 8yv. 


3. By assumption, there is a change of variables 7; = qx + ry, 
y, = sxt+ty with qt — rs = 1 that transforms a,2? + 2b) 7141 + c1y? 
to ax* + 2bry+cy*. This same change of variables in X, and Yj gives 
polynomials X2 and Y2 in z, y, u, and v for which (ax? + 2bry + 
cy?) (au? + 2Buv + yu7) = A,X? + 2B, X2Yo + C1 Y?. Thus, the two 
forms AX? +2BXY+CY? and A, X?+2B,XY +C,Y? compose the 
same two forms so they are equivalent by Gauss’s theorem. 
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squarefree number, 129 

stable module, 119-121, 169-177 

successor of a module, 119 

sum of two squares, 162 

Supplementary Law of Quadratic 
Reciprocity, 150 


table of indices, 73 


Although number theorists have sometimes shunned and even 
disparaged computation in the past, today’s applications of 
number theory to cryptography and computer security demand 
vast arithmetical computations. These demands have shifted the 
focus of studies in number theory and have changed attitudes 
toward computation itself. 


The important new applications have attracted a great many 
students to number theory, but the best reason for studying the 
subject remains what it was when Gauss published his classic 
Disquisitiones Arithmeticae in 1801: Number theory is the equal of 
Euclidean geometry—some would say it is superior to Euclidean 
geometry—as a model of pure, logical, deductive thinking. An 
arithmetical computation, after all, is the purest form of deductive 
argument. 


Higher Arithmetic explains number theory in a way that gives deduc- 
tive reasoning, including algorithms and computations, the central 
role. Hands-on experience with the application of algorithms to 
computational examples enables students to master the funda- 
mental ideas of basic number theory. This is a worthwhile goal 
for any student of mathematics and an essential one for students 
interested in the modern applications of number theory. 
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